asyncrat | e7b067c6a4b7ebf676eebc9b60c80be110c607e681220cce63675ba95068fa84

Analysis

max time kernel
119s
max time network
192s
platform
windows7_x64
resource
win7v20210410
submitted
12-07-2021 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Product Emm 803030830019971 10082982820091989 109938377338393.exe
Size

17KB
MD5

728961a48344fe5a70b1e3018e44c117
SHA1

4a9445a76f3d5b8713446dd98e9d5941a9f02b19
SHA256

e7b067c6a4b7ebf676eebc9b60c80be110c607e681220cce63675ba95068fa84
SHA512

4365af4884c40f047d826e81e4e9d09b138daccbdec53da5152d2b5261a0af6d352af2ad6a72e9b1d399664938f0f5cddb4f298e96b621ef1eb80943dac770b4

Score

10^/10

asyncrat warzonerat evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

194.5.98.174:1515

olodofries.ddns.net:1515

Mutex

jclrvciebeihebxaath

Attributes

aes_key
3CB55D8z04noSTo6JKEyNvPQrV3BwqD8
anti_detection
false
autorun
false
bdos
false
delay
host
194.5.98.174,olodofries.ddns.net
hwid
5
install_file
install_folder
%AppData%
mutex
jclrvciebeihebxaath
pastebin_config
null
port
1515
version
0.5.6A

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2464-166-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2464-165-0x000000000040C3EE-mapping.dmp	asyncrat
behavioral1/memory/2464-164-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Nirsoft 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\c6572912-9fed-40eb-8167-8ef3e035b1a0\e9634e44-526f-48f1-be82-b2b23ef19387.exe	Nirsoft

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2952-314-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2932-319-0x0000000000405CE2-mapping.dmp	warzonerat

Executes dropped EXE 11 IoCs

Processes:

ލޛޝޘމݘލ.exetmp5D39.tmp.exetmp5D59.tmp.exetmp6C60.tmp.exetmp6D3B.tmp.exee9634e44-526f-48f1-be82-b2b23ef19387.exee9634e44-526f-48f1-be82-b2b23ef19387.exe5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exetmp5D59.tmp.exetmp5D39.tmp.exe

pid	process
1504	ލޛޝޘމݘލ.exe
2332	tmp5D39.tmp.exe
1028	tmp5D59.tmp.exe
2600	tmp6C60.tmp.exe
2652	tmp6D3B.tmp.exe
2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2756	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2892	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
2920	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
2952	tmp5D59.tmp.exe
2932	tmp5D39.tmp.exe

Drops startup file 8 IoCs

Processes:

cmd.exetmp5D59.tmp.execmd.exetmp5D39.tmp.exeProduct Emm 803030830019971 10082982820091989 109938377338393.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D59.tmp.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D59.tmp.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D59.tmp.exe	tmp5D59.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D39.tmp.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D39.tmp.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D39.tmp.exe	tmp5D39.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe

Loads dropped DLL 27 IoCs

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.execmd.execmd.execmd.execmd.exetmp6D3B.tmp.exee9634e44-526f-48f1-be82-b2b23ef19387.exetmp6C60.tmp.exe5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exetmp5D59.tmp.exetmp5D39.tmp.exetmp5D59.tmp.exetmp5D39.tmp.exe

pid	process
1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe
2288	cmd.exe
2036	cmd.exe
1772	cmd.exe
2576	cmd.exe
2652	tmp6D3B.tmp.exe
2652	tmp6D3B.tmp.exe
2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2600	tmp6C60.tmp.exe
2600	tmp6C60.tmp.exe
2892	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
2892	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
1028	tmp5D59.tmp.exe
2332	tmp5D39.tmp.exe
2952	tmp5D59.tmp.exe
2952	tmp5D59.tmp.exe
2952	tmp5D59.tmp.exe
2952	tmp5D59.tmp.exe
2952	tmp5D59.tmp.exe
2952	tmp5D59.tmp.exe
2932	tmp5D39.tmp.exe
2932	tmp5D39.tmp.exe
2932	tmp5D39.tmp.exe
2932	tmp5D39.tmp.exe
2932	tmp5D39.tmp.exe
2932	tmp5D39.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe = "0"	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\\svchost.exe = "0"	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe = "0"	Product Emm 803030830019971 10082982820091989 109938377338393.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exeލޛޝޘމݘލ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ލޛޝޘމݘލ = "C:\\Users\\Public\\Documents\\\ueb5f\ueb61\ueb60\ueb5c\ueb31\ueb3c\ueb30\ueb42\ueb3f\ueb4f\ueb30\ueb2d\ueb2f\ueb60\ueb5e\ueb52\ueb2e\ueb3c\ueb34\ueb31\ueb6e\ueb69\ueb5e\ueb5f\\svchost.exe"	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ލޛޝޘމݘލ = "C:\\Users\\Public\\Documents\\\ueb5f\ueb61\ueb60\ueb5c\ueb31\ueb3c\ueb30\ueb42\ueb3f\ueb4f\ueb30\ueb2d\ueb2f\ueb60\ueb5e\ueb52\ueb2e\ueb3c\ueb34\ueb31\ueb6e\ueb69\ueb5e\ueb5f\\svchost.exe"	ލޛޝޘމݘލ.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exeލޛޝޘމݘލ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ލޛޝޘމݘލ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ލޛޝޘމݘލ.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exetmp5D59.tmp.exetmp5D39.tmp.exe

description	pid	process	target process
PID 1808 set thread context of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1028 set thread context of 2952	1028	tmp5D59.tmp.exe	tmp5D59.tmp.exe
PID 2332 set thread context of 2932	2332	tmp5D39.tmp.exe	tmp5D39.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeލޛޝޘމݘލ.exeProduct Emm 803030830019971 10082982820091989 109938377338393.exetmp5D59.tmp.exetmp5D39.tmp.exee9634e44-526f-48f1-be82-b2b23ef19387.exee9634e44-526f-48f1-be82-b2b23ef19387.exe5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe

pid	process
564	powershell.exe
292	powershell.exe
776	powershell.exe
1108	powershell.exe
1536	powershell.exe
1604	powershell.exe
1384	powershell.exe
1580	powershell.exe
840	powershell.exe
2140	powershell.exe
1068	powershell.exe
1604	powershell.exe
292	powershell.exe
1108	powershell.exe
1536	powershell.exe
776	powershell.exe
1068	powershell.exe
564	powershell.exe
840	powershell.exe
1384	powershell.exe
2140	powershell.exe
1580	powershell.exe
1504	ލޛޝޘމݘލ.exe
1504	ލޛޝޘމݘލ.exe
2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
2332	tmp5D39.tmp.exe
2332	tmp5D39.tmp.exe
2332	tmp5D39.tmp.exe
2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2756	e9634e44-526f-48f1-be82-b2b23ef19387.exe
2756	e9634e44-526f-48f1-be82-b2b23ef19387.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
1028	tmp5D59.tmp.exe
2892	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeލޛޝޘމݘލ.exepowershell.exepowershell.exepowershell.exepowershell.exeProduct Emm 803030830019971 10082982820091989 109938377338393.exetmp5D59.tmp.exetmp6C60.tmp.exetmp6D3B.tmp.exetmp5D39.tmp.exee9634e44-526f-48f1-be82-b2b23ef19387.exee9634e44-526f-48f1-be82-b2b23ef19387.exe5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe

description	pid	process
Token: SeDebugPrivilege	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1504	ލޛޝޘމݘލ.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Token: SeDebugPrivilege	1028	tmp5D59.tmp.exe
Token: SeDebugPrivilege	2600	tmp6C60.tmp.exe
Token: SeDebugPrivilege	2652	tmp6D3B.tmp.exe
Token: SeDebugPrivilege	2332	tmp5D39.tmp.exe
Token: SeDebugPrivilege	2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
Token: SeImpersonatePrivilege	2300	e9634e44-526f-48f1-be82-b2b23ef19387.exe
Token: SeDebugPrivilege	2756	e9634e44-526f-48f1-be82-b2b23ef19387.exe
Token: SeImpersonatePrivilege	2756	e9634e44-526f-48f1-be82-b2b23ef19387.exe
Token: SeDebugPrivilege	2892	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
Token: SeImpersonatePrivilege	2892	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
Token: SeDebugPrivilege	2920	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
Token: SeImpersonatePrivilege	2920	5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp5D59.tmp.exetmp5D39.tmp.exe

pid process

2952 tmp5D59.tmp.exe
2932 tmp5D39.tmp.exe

pid	process
2952	tmp5D59.tmp.exe
2932	tmp5D39.tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exeލޛޝޘމݘލ.exeProduct Emm 803030830019971 10082982820091989 109938377338393.exe

description	pid	process	target process
PID 1808 wrote to memory of 776	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 776	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 776	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 776	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 564	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 564	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 564	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 564	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1108	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1108	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1108	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1108	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 292	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 292	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 292	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 292	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1504	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	ލޛޝޘމݘލ.exe
PID 1808 wrote to memory of 1504	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	ލޛޝޘމݘލ.exe
PID 1808 wrote to memory of 1504	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	ލޛޝޘމݘލ.exe
PID 1808 wrote to memory of 1504	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	ލޛޝޘމݘލ.exe
PID 1808 wrote to memory of 1536	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1536	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1536	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1536	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1604	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1604	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1604	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1604	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1384	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1384	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1384	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1808 wrote to memory of 1384	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	powershell.exe
PID 1504 wrote to memory of 1580	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1580	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1580	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1580	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 840	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 840	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 840	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 840	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1068	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1068	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1068	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 1068	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 2140	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 2140	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 2140	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1504 wrote to memory of 2140	1504	ލޛޝޘމݘލ.exe	powershell.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 1808 wrote to memory of 2464	1808	Product Emm 803030830019971 10082982820091989 109938377338393.exe	Product Emm 803030830019971 10082982820091989 109938377338393.exe
PID 2464 wrote to memory of 2288	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe
PID 2464 wrote to memory of 2288	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe
PID 2464 wrote to memory of 2288	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe
PID 2464 wrote to memory of 2288	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe
PID 2464 wrote to memory of 2036	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe
PID 2464 wrote to memory of 2036	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe
PID 2464 wrote to memory of 2036	2464	Product Emm 803030830019971 10082982820091989 109938377338393.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Product Emm 803030830019971 10082982820091989 109938377338393.exeލޛޝޘމݘލ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Product Emm 803030830019971 10082982820091989 109938377338393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ލޛޝޘމݘލ.exe

C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe
"C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe
"C:\Users\Admin\AppData\Local\Temp\Product Emm 803030830019971 10082982820091989 109938377338393.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe & exit
3⤵
- Loads dropped DLL
PID:2288

C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D39.tmp.exe"
5⤵
- Drops startup file
PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe & exit
3⤵
- Loads dropped DLL
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp5D59.tmp.exe"
5⤵
- Drops startup file
PID:2268

C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe & exit
3⤵
- Loads dropped DLL
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Local\Temp\de79a47d-157f-43b9-a72d-45db0f50de41\5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
"C:\Users\Admin\AppData\Local\Temp\de79a47d-157f-43b9-a72d-45db0f50de41\5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Users\Admin\AppData\Local\Temp\de79a47d-157f-43b9-a72d-45db0f50de41\5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe
"C:\Users\Admin\AppData\Local\Temp\de79a47d-157f-43b9-a72d-45db0f50de41\5b7c3625-1b2e-44b9-8ce2-a76b5fad6ec7.exe" /SpecialRun 4101d8 2892
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe & exit
3⤵
- Loads dropped DLL
PID:2576

C:\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Users\Admin\AppData\Local\Temp\c6572912-9fed-40eb-8167-8ef3e035b1a0\e9634e44-526f-48f1-be82-b2b23ef19387.exe
"C:\Users\Admin\AppData\Local\Temp\c6572912-9fed-40eb-8167-8ef3e035b1a0\e9634e44-526f-48f1-be82-b2b23ef19387.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\c6572912-9fed-40eb-8167-8ef3e035b1a0\e9634e44-526f-48f1-be82-b2b23ef19387.exe
"C:\Users\Admin\AppData\Local\Temp\c6572912-9fed-40eb-8167-8ef3e035b1a0\e9634e44-526f-48f1-be82-b2b23ef19387.exe" /SpecialRun 4101d8 2300
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5f5452bb-517d-4b3a-8557-e7481d81aa44
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c1db2f17-118f-4104-a91f-af7325170886
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cca18ecf-b273-43a1-b97c-e66febb06fea
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9f1b94e-fb86-4ad1-828c-b5c8da0695ff
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
69a94bc04e66f34293db367817de08b2

SHA1
67746a5de936078c0a538628996db7d1d0de9e78

SHA256
dcbeff8556cb8d1784cd92f504182962b82d70ca0e1d826c25f85d5fbbe9acf2

SHA512
ee781f81620a45878c48d5a9fc9d4797429d8557888f94adde1c3bec38d8bc5c8dc843043340924efe98ae0497488ae1959fefe8265362bedf0998467f9eb537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
72ad845d1a0ac5aabd072566523a7719

SHA1
b57a94bad6ba4553ffb247a2e7132eefd3b01402

SHA256
d4e54e31c95a2dd221be1d563c9f44d7b98f00e4e42075bc9b3d9f9079cf89c5

SHA512
3c3edd9dd9dd3f0a0631d91fc37f50f57fae59f3c94795274e23af61f1e40e2f26f5fd2eb25ed19b321971387cc0887a5544fc8ab9696351b59f2aa537cc3122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ab2ed2e5fa98de8c8426cf399d1aaf98

SHA1
89323472dcea0c4e0484da5e4b43e2e84eb44509

SHA256
d53f001452987e507ab75c5e8b5a08535630aac65d279995f417ac90b2d6a450

SHA512
6df13bbd1f2ca6dd5770a5340a68ac86b686cf71b02c49d7d626fbc701f5ad86af862ddf2ca4cea2b170eb458b1661d86e5b5ddadd96919a787b30b9be390c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
da5edd281697143ad4c75933dc4a0008

SHA1
4f29812db75d52b30d6e6d6d8d441a03bbfd63e6

SHA256
f45f275eabacb534a28b759fbfa3c9c9efdea0bf58e286c86502671c7731be05

SHA512
38df606c97788126bf0efbf075855c340b45d74d0e01310a617148730622d4c3c6ea3e31c3326fe06157f969c88fad9ecd3fc54f7ba017743f5c1530bc01e6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
0284dc4b9dd0d7806b27e762cb104863

SHA1
9b614b616fc764571de78723ba8a43855c58ea70

SHA256
02452d5203aaa77763d77ef119ec3f1afb05c46f6ea76671df1c7581273e62d0

SHA512
119af3a2a850bbd853d72d4bf3acc396a70ba2a2abf26185d75c9bcddc17c7913c9d9bcd99b6eef62d5e3033318ed2aaa66f490eeddf71d389ec8ae877e6f18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ec3814d0e9d3c8acf52adca2cb82ac9c

SHA1
3f695ac8afcaabb0441e9f652d36ad8dc720de89

SHA256
c9794c8407c56d48a57cbe45e9061fd2699a5a7f2225fcdbf7556f6a8d5e37ce

SHA512
b3edb81f46a92d6d5cbf6e2d6ab0427cfbf76b6dfa08992b10c9026d03cab2d37d828130512813edd3ff417f0ba74673686b206f50d2261e32d6e4cdbdc70708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
35976a5aea9f937a506438c27049544e

SHA1
dca3ec077731f78110e93a732157444b319fa12b

SHA256
89ccc95e27b30ae1260a5bbe8ad143d54f366e7670faaefc6b50678e40b18c82

SHA512
666adf3ae0b3d040806e6f7b95ceea991298849638b78a00709c1bd98d06217421be695c3774136485320ac461c75b2cf5a9c9b6394460b54cb675aa9282618c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ec239d0ae96a13209b8e946240242bba

SHA1
5af85214d1a9516581727f0edce4206e256eb258

SHA256
48e22a6dee94fb16db61e5b6a34d1555310f3f64daa4a6497001c6a7d0baf4d7

SHA512
62e2c8e643f3f92224f56ee0364e2dea5a144f19ae7c3ae028e80f2f1d320756c116ad41da91791579f2d5e1af8f474d17853d8f8a04b543d1074f8a2fd118a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2b35f580c337e720e193edc09323db91

SHA1
3cee439859e7abd1044f7243a171ce3b01c32b65

SHA256
c9bba2383a93aee631791e5a3c51879eb7602c0cf6d739088485ac983be1cb92

SHA512
d8004393a243029049880535f0aec498cd8c5fc75c3bbd2718d44d045de785908f94665f9e7b062f0cedab92c3c362dc883d1d33ce52ce166625a1c323426209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
043324a155d09a3cc8e7e36558b22b5f

SHA1
16e6e21d7f9aa33eda447c4ecf57db0a44150a15

SHA256
bfbb2201dabe4d43db8c0baf7753bfe66a67db39d49fc4c09741ba2ef954cddd

SHA512
a3bc3bdfbd89f9d18971e96ae4c7d1b30adb9a5c93127597cd82797929bd68556cbdb3cd21acdf00d549780b70741a9f2021f5ce6a2c8215ad0de53a14545a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
df8b5d3071d5d170ba3282747d56c236

SHA1
39aa652b0f22ef4e5f203aed240203591162e470

SHA256
a5e1896363d4d574893f1569960ece07bbf04d01b9b6624c5a22bb6b7adbaf87

SHA512
68fb43ed462f0cf6a4fd878e0e106d6126f09c5d8ba81366f4a041b6f17e48228df8084fa3561a804001d940b34a874df7c10830485d752ebdd7c6dd4d6260dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2938111c843e66b7333c290f1ac9c8c3

SHA1
987e108c0a80c661720702d72f133cc60617da35

SHA256
39f7118ac7496409acf203bae31fcc79a4faea78812b9b49a2b7f26989a3a1e8

SHA512
4c55e2e80bed55e1c332e1906ada47bffb5d3b5ab20d467021b431fbbacf6364a139e816a4a0653eaf96c65ad20dfddf414e80b6520d03d718d220a376516a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2938111c843e66b7333c290f1ac9c8c3

SHA1
987e108c0a80c661720702d72f133cc60617da35

SHA256
39f7118ac7496409acf203bae31fcc79a4faea78812b9b49a2b7f26989a3a1e8

SHA512
4c55e2e80bed55e1c332e1906ada47bffb5d3b5ab20d467021b431fbbacf6364a139e816a4a0653eaf96c65ad20dfddf414e80b6520d03d718d220a376516a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f844f8a8300cf98c438a27c4cdb6ed54

SHA1
27c6bf73a41972ed41d178d36bf5880e189e230c

SHA256
18e5bce7c4d91438d8820c555bda4e817241c388e382a7a34a156aec8f18b891

SHA512
b869091e1d89c9ad57c76ec057954fe66960edca77015ff26ef4320d7d2b64c29eb842d096fac65b71d5083b9559b58d63f70f7b1e4a2c5701cf839668059313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
748251da42e6c61954b84eae87c41f2e

SHA1
9f3ffb051c8b72ac82cd76d327436609d9c92b5e

SHA256
0cb2aa6573cc347989be4bef1a0a8db13cc6c6370894183aa01bb5701f23c40a

SHA512
89c16452520c5b7cac6d1cd38ef541e814c1a5c97492896f229c4b6e14321628aaca44c4aa70181aef53f2fa49cea732cf22c5185cdfbbe54de201e32d9a9256

Download Submit
C:\Users\Admin\AppData\Local\Temp\031a559e2e3c46298d62dd0fd619b9c9
MD5
27e4b98a9ccf6e9d14fb527d29337776

SHA1
6e3e19996c1e1be97a067e71e5a7b2ef8957948b

SHA256
a924949bb396dfcc1a3e99c66e2b71ba0f9a9d4d943c90619c6a7774625d038c

SHA512
572bf0f8a476edcc19c8a1617715b651461f8743f2ff385d2df97569d6c704f66deb3ee644f61341cd7391c1eb89ec3fb2c053c8913161c9ca3fe5ce58ca4008

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0038ecbdf546609e1d6a8fe18ad968
MD5
a5e987dd12064883c589870fc20cc1d1

SHA1
465b0163fc4f178ba82139d642db2a2dee92c794

SHA256
631a5f1d6147d40f1b31bbddb226495f94f82d4daccbe7a0d66b2eccd46dc8c0

SHA512
640246f409af61688a932137cdc0dd0c41b3f7ed9253ca307cdf717a026664942169ff83ca3aef5c1aee7ba3dbeac4a0b789cd58d5114eb486d6da703c8e5c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe
MD5
181d7393dd6c21b1950ee3dd53c6561c

SHA1
6da04786520fb6a297dfe1d9fef43b4f9d06e856

SHA256
4a4582eededab42826aa08f65a98b3a31836a399eee58702bb37538084a2e086

SHA512
45f5b569613ea0ff85a469a88295885755cdf56528cf1577d770f38ebbb53643102c9fd9a397c483b4524c8c5153fdf7895e8b084f98e442551659b180cccddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe
MD5
181d7393dd6c21b1950ee3dd53c6561c

SHA1
6da04786520fb6a297dfe1d9fef43b4f9d06e856

SHA256
4a4582eededab42826aa08f65a98b3a31836a399eee58702bb37538084a2e086

SHA512
45f5b569613ea0ff85a469a88295885755cdf56528cf1577d770f38ebbb53643102c9fd9a397c483b4524c8c5153fdf7895e8b084f98e442551659b180cccddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe
MD5
181d7393dd6c21b1950ee3dd53c6561c

SHA1
6da04786520fb6a297dfe1d9fef43b4f9d06e856

SHA256
4a4582eededab42826aa08f65a98b3a31836a399eee58702bb37538084a2e086

SHA512
45f5b569613ea0ff85a469a88295885755cdf56528cf1577d770f38ebbb53643102c9fd9a397c483b4524c8c5153fdf7895e8b084f98e442551659b180cccddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe
MD5
181d7393dd6c21b1950ee3dd53c6561c

SHA1
6da04786520fb6a297dfe1d9fef43b4f9d06e856

SHA256
4a4582eededab42826aa08f65a98b3a31836a399eee58702bb37538084a2e086

SHA512
45f5b569613ea0ff85a469a88295885755cdf56528cf1577d770f38ebbb53643102c9fd9a397c483b4524c8c5153fdf7895e8b084f98e442551659b180cccddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe
MD5
fd26b6437f6df0e583a218ea7f509e3a

SHA1
f63dd2a25fcc8ae5b7631728bd73dbad1c402849

SHA256
a12acc2c16d405369207014777eaf1ca8f091ee58d42ca413f5c63d46e81eec7

SHA512
14b16efc6ad57251c9faa35964be639aadc6342478df29b60ef92d89f14ac2ab222c255b63e5ac1c2e7fc0c60455bd8d6bdd5f8f40de25d4fe0287ff4ce57055

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe
MD5
fd26b6437f6df0e583a218ea7f509e3a

SHA1
f63dd2a25fcc8ae5b7631728bd73dbad1c402849

SHA256
a12acc2c16d405369207014777eaf1ca8f091ee58d42ca413f5c63d46e81eec7

SHA512
14b16efc6ad57251c9faa35964be639aadc6342478df29b60ef92d89f14ac2ab222c255b63e5ac1c2e7fc0c60455bd8d6bdd5f8f40de25d4fe0287ff4ce57055

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe
MD5
fd26b6437f6df0e583a218ea7f509e3a

SHA1
f63dd2a25fcc8ae5b7631728bd73dbad1c402849

SHA256
a12acc2c16d405369207014777eaf1ca8f091ee58d42ca413f5c63d46e81eec7

SHA512
14b16efc6ad57251c9faa35964be639aadc6342478df29b60ef92d89f14ac2ab222c255b63e5ac1c2e7fc0c60455bd8d6bdd5f8f40de25d4fe0287ff4ce57055

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe
MD5
fd26b6437f6df0e583a218ea7f509e3a

SHA1
f63dd2a25fcc8ae5b7631728bd73dbad1c402849

SHA256
a12acc2c16d405369207014777eaf1ca8f091ee58d42ca413f5c63d46e81eec7

SHA512
14b16efc6ad57251c9faa35964be639aadc6342478df29b60ef92d89f14ac2ab222c255b63e5ac1c2e7fc0c60455bd8d6bdd5f8f40de25d4fe0287ff4ce57055

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
03f9d66e15e0d81f9819ab9d7485db45

SHA1
5c75087c45356a4e3b30743a10ed37f70854154d

SHA256
21feefb386bcee6f75836b2d9b9423979681311bf328d9dc3e6e67bbdafb2fa0

SHA512
3797de9976a96b8b810373323a39cb9caa93091b38fc8b28791c1b98dc9a9fc44b05f81caedd4e623ee6342505e559bc5058d084d97fb193cb2e59933a1eed36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe
MD5
728961a48344fe5a70b1e3018e44c117

SHA1
4a9445a76f3d5b8713446dd98e9d5941a9f02b19

SHA256
e7b067c6a4b7ebf676eebc9b60c80be110c607e681220cce63675ba95068fa84

SHA512
4365af4884c40f047d826e81e4e9d09b138daccbdec53da5152d2b5261a0af6d352af2ad6a72e9b1d399664938f0f5cddb4f298e96b621ef1eb80943dac770b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe
MD5
728961a48344fe5a70b1e3018e44c117

SHA1
4a9445a76f3d5b8713446dd98e9d5941a9f02b19

SHA256
e7b067c6a4b7ebf676eebc9b60c80be110c607e681220cce63675ba95068fa84

SHA512
4365af4884c40f047d826e81e4e9d09b138daccbdec53da5152d2b5261a0af6d352af2ad6a72e9b1d399664938f0f5cddb4f298e96b621ef1eb80943dac770b4

Download Submit
\Users\Admin\AppData\Local\Temp\c6572912-9fed-40eb-8167-8ef3e035b1a0\e9634e44-526f-48f1-be82-b2b23ef19387.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5D39.tmp.exe
MD5
181d7393dd6c21b1950ee3dd53c6561c

SHA1
6da04786520fb6a297dfe1d9fef43b4f9d06e856

SHA256
4a4582eededab42826aa08f65a98b3a31836a399eee58702bb37538084a2e086

SHA512
45f5b569613ea0ff85a469a88295885755cdf56528cf1577d770f38ebbb53643102c9fd9a397c483b4524c8c5153fdf7895e8b084f98e442551659b180cccddf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.exe
MD5
181d7393dd6c21b1950ee3dd53c6561c

SHA1
6da04786520fb6a297dfe1d9fef43b4f9d06e856

SHA256
4a4582eededab42826aa08f65a98b3a31836a399eee58702bb37538084a2e086

SHA512
45f5b569613ea0ff85a469a88295885755cdf56528cf1577d770f38ebbb53643102c9fd9a397c483b4524c8c5153fdf7895e8b084f98e442551659b180cccddf

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6C60.tmp.exe
MD5
fd26b6437f6df0e583a218ea7f509e3a

SHA1
f63dd2a25fcc8ae5b7631728bd73dbad1c402849

SHA256
a12acc2c16d405369207014777eaf1ca8f091ee58d42ca413f5c63d46e81eec7

SHA512
14b16efc6ad57251c9faa35964be639aadc6342478df29b60ef92d89f14ac2ab222c255b63e5ac1c2e7fc0c60455bd8d6bdd5f8f40de25d4fe0287ff4ce57055

Download Submit
\Users\Admin\AppData\Local\Temp\tmp6D3B.tmp.exe
MD5
fd26b6437f6df0e583a218ea7f509e3a

SHA1
f63dd2a25fcc8ae5b7631728bd73dbad1c402849

SHA256
a12acc2c16d405369207014777eaf1ca8f091ee58d42ca413f5c63d46e81eec7

SHA512
14b16efc6ad57251c9faa35964be639aadc6342478df29b60ef92d89f14ac2ab222c255b63e5ac1c2e7fc0c60455bd8d6bdd5f8f40de25d4fe0287ff4ce57055

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ލޛޝޘމݘލ.exe
MD5
728961a48344fe5a70b1e3018e44c117

SHA1
4a9445a76f3d5b8713446dd98e9d5941a9f02b19

SHA256
e7b067c6a4b7ebf676eebc9b60c80be110c607e681220cce63675ba95068fa84

SHA512
4365af4884c40f047d826e81e4e9d09b138daccbdec53da5152d2b5261a0af6d352af2ad6a72e9b1d399664938f0f5cddb4f298e96b621ef1eb80943dac770b4

Download Submit
memory/292-71-0x0000000000000000-mapping.dmp

Download
memory/292-87-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/292-101-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/292-100-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/564-94-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/564-66-0x0000000000000000-mapping.dmp

Download
memory/564-91-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/564-74-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/776-65-0x0000000000000000-mapping.dmp

Download
memory/776-93-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/776-99-0x0000000001092000-0x0000000001093000-memory.dmp

Filesize
4KB

Download
memory/840-115-0x0000000000000000-mapping.dmp

Download
memory/844-316-0x0000000000000000-mapping.dmp

Download
memory/1028-276-0x0000000000000000-mapping.dmp

Download
memory/1068-126-0x0000000000000000-mapping.dmp

Download
memory/1108-95-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/1108-68-0x0000000000000000-mapping.dmp

Download
memory/1108-114-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1108-92-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1384-125-0x0000000004A62000-0x0000000004A63000-memory.dmp

Filesize
4KB

Download
memory/1384-105-0x0000000000000000-mapping.dmp

Download
memory/1384-136-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1504-122-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/1504-85-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1504-77-0x0000000000000000-mapping.dmp

Download
memory/1536-84-0x0000000000000000-mapping.dmp

Download
memory/1536-127-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1536-132-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/1580-112-0x0000000000000000-mapping.dmp

Download
memory/1580-153-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1604-135-0x0000000004A42000-0x0000000004A43000-memory.dmp

Filesize
4KB

Download
memory/1604-130-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1604-98-0x0000000000000000-mapping.dmp

Download
memory/1772-283-0x0000000000000000-mapping.dmp

Download
memory/1808-62-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1808-63-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1808-60-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1808-64-0x0000000005090000-0x00000000050E1000-memory.dmp

Filesize
324KB

Download
memory/1836-317-0x0000000000000000-mapping.dmp

Download
memory/2036-268-0x0000000000000000-mapping.dmp

Download
memory/2140-133-0x0000000000000000-mapping.dmp

Download
memory/2268-307-0x0000000000000000-mapping.dmp

Download
memory/2288-267-0x0000000000000000-mapping.dmp

Download
memory/2300-303-0x0000000000000000-mapping.dmp

Download
memory/2332-271-0x0000000000000000-mapping.dmp

Download
memory/2464-164-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2464-166-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2464-165-0x000000000040C3EE-mapping.dmp

Download
memory/2576-284-0x0000000000000000-mapping.dmp

Download
memory/2600-287-0x0000000000000000-mapping.dmp

Download
memory/2652-293-0x0000000000000000-mapping.dmp

Download
memory/2756-305-0x0000000000000000-mapping.dmp

Download
memory/2892-309-0x0000000000000000-mapping.dmp

Download
memory/2920-311-0x0000000000000000-mapping.dmp

Download
memory/2932-319-0x0000000000405CE2-mapping.dmp

Download
memory/2952-314-0x0000000000405CE2-mapping.dmp

Download
memory/3020-321-0x0000000000000000-mapping.dmp

Download