8214fef9e3cba373f5c92b48fe8535760e67cad89abdf07a7d60f69b2c37a018

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LIST.exe
Size

449KB
MD5

d74fd6ed07181f2d8c67708af84a0342
SHA1

8a564e7c684069e6ab5f72faa1a7fc5e25985cd9
SHA256

8214fef9e3cba373f5c92b48fe8535760e67cad89abdf07a7d60f69b2c37a018
SHA512

be1377559ed86fd9bdd82a754b2b1b33bdb4acf5216f142ebdb950180ed5041f41b2ebd1b0746d30dc6014220ecf2ec9c73294e3e86a17028efaeb4830167f02
SSDEEP

6144:qp0+DpuPJFjJYILWt3NwuLk5TvTobml6n6HOxLNoQyhocxiDLW9M:qwFjJnKlNwuArobmljULUXxiDLiM

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 64 IoCs

Processes:

LIST.exe

pid	process
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe
744	LIST.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1936	powershell.exe
2044	powershell.exe
1692	powershell.exe
836	powershell.exe
1008	powershell.exe
340	powershell.exe
1408	powershell.exe
1616	powershell.exe
1732	powershell.exe
1980	powershell.exe
1456	powershell.exe
1524	powershell.exe
328	powershell.exe
832	powershell.exe
1432	powershell.exe
2040	powershell.exe
1868	powershell.exe
1112	powershell.exe
1516	powershell.exe
1620	powershell.exe
1396	powershell.exe
1500	powershell.exe
944	powershell.exe
2036	powershell.exe
644	powershell.exe
1424	powershell.exe
1484	powershell.exe
692	powershell.exe
1408	powershell.exe
2032	powershell.exe
1724	powershell.exe
1612	powershell.exe
1996	powershell.exe
684	powershell.exe
2016	powershell.exe
1092	powershell.exe
1104	powershell.exe
1664	powershell.exe
1984	powershell.exe
1448	powershell.exe
1612	powershell.exe
1996	powershell.exe
368	powershell.exe
2016	powershell.exe
752	powershell.exe
620	powershell.exe
908	powershell.exe
824	powershell.exe
1208	powershell.exe
524	powershell.exe
888	powershell.exe
976	powershell.exe
1644	powershell.exe
1824	powershell.exe
2028	powershell.exe
1280	powershell.exe
776	powershell.exe
1652	powershell.exe
1620	powershell.exe
692	powershell.exe
1064	powershell.exe
1704	powershell.exe
1824	powershell.exe
1984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LIST.exe

description	pid	process	target process
PID 744 wrote to memory of 1936	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1936	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1936	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1936	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2044	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2044	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2044	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2044	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1692	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1692	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1692	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1692	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 836	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 836	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 836	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 836	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1008	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1008	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1008	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1008	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 340	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 340	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 340	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 340	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1408	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1408	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1408	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1408	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1616	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1616	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1616	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1616	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1732	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1732	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1732	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1732	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1980	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1980	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1980	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1980	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1456	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1456	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1456	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1456	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1524	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1524	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1524	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1524	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 328	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 328	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 328	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 328	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 832	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 832	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 832	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 832	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1432	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1432	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1432	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 1432	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2040	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2040	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2040	744	LIST.exe	powershell.exe
PID 744 wrote to memory of 2040	744	LIST.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\LIST.exe
"C:\Users\Admin\AppData\Local\Temp\LIST.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6B657031 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x656C316D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3A3A412D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6561763A -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x46696E3A -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x41286F7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x72342273 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2069226F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x7838326F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3030326F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x302C2236 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x20302E7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x70203273 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2069226B -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C206B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x30783A6F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C206B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x30296B71 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x72332206 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6B657031 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x656C316D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3A3A5436 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x7274773E -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6C416E33 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6F632A36 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x302C6B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x36393166 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x30333169 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C206B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3078316F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x30302E7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x69203227 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x34302B2F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2E723306 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6B657031 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x656C316D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3A3A513A -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x74466B33 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x65506D36 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6E74672D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2869706C -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C206B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3734306B -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x202C2236 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x20302E36 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x20302B36 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2E723006 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6B657031 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x656C316D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3A3A503A -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x61644436 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6C652A36 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x72332E7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6920706E -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C206B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x36393166 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x30333169 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C2A6B7F -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x302C2236 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x20302B36 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2E723006 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x7573672D -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x33323865 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x43616E33 -bxor 607
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x57696C3B -bxor 607
2⤵
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6F77522D -bxor 607
2⤵
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6F634377 -bxor 607
2⤵
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6972337F -bxor 607
2⤵
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C69226F -bxor 607
2⤵
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C69226F -bxor 607
2⤵
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x2C206B7F -bxor 607
2⤵
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x302C2236 -bxor 607
2⤵
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x20302B06 -bxor 607
2⤵
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x185B66F9 -bxor 607
2⤵
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xDF5418CD -bxor 607
2⤵
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x94E66775 -bxor 607
2⤵
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xBF38496F -bxor 607
2⤵
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xC09C7ABA -bxor 607
2⤵
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x0CCB4F44 -bxor 607
2⤵
PID:340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xCBA90766 -bxor 607
2⤵
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x9CEEE424 -bxor 607
2⤵
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xB8FC0185 -bxor 607
2⤵
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x706D0B48 -bxor 607
2⤵
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x823DA898 -bxor 607
2⤵
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x8C2C9D7C -bxor 607
2⤵
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x0B7B688C -bxor 607
2⤵
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xF6DE7FA9 -bxor 607
2⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xF016482C -bxor 607
2⤵
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x96887534 -bxor 607
2⤵
PID:340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x4AF4BC1E -bxor 607
2⤵
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xA7083625 -bxor 607
2⤵
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x05F8010B -bxor 607
2⤵
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x7EAEFAEB -bxor 607
2⤵
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x1AC9D583 -bxor 607
2⤵
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x1BA0C58F -bxor 607
2⤵
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x448654C5 -bxor 607
2⤵
PID:748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x18E3E236 -bxor 607
2⤵
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x160104CD -bxor 607
2⤵
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xC1EE7DEB -bxor 607
2⤵
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x402EB35A -bxor 607
2⤵
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xA2807B81 -bxor 607
2⤵
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x68B4374A -bxor 607
2⤵
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xE06D8EDC -bxor 607
2⤵
PID:664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x004E97AB -bxor 607
2⤵
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x85A4DA70 -bxor 607
2⤵
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xD9B8349C -bxor 607
2⤵
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x165E5EA9 -bxor 607
2⤵
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xD1530291 -bxor 607
2⤵
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x06F80214 -bxor 607
2⤵
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x1D8777A3 -bxor 607
2⤵
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3D5380EA -bxor 607
2⤵
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xE3EF1CD9 -bxor 607
2⤵
PID:1004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xFF2A9EBE -bxor 607
2⤵
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xC00A2839 -bxor 607
2⤵
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x15110595 -bxor 607
2⤵
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xFC36ABAE -bxor 607
2⤵
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6CBE71B2 -bxor 607
2⤵
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x8A7E62E9 -bxor 607
2⤵
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xBC4AE10C -bxor 607
2⤵
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xCE548E5D -bxor 607
2⤵
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xA3E556E4 -bxor 607
2⤵
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x845C6F2A -bxor 607
2⤵
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xC3CD1187 -bxor 607
2⤵
PID:852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xC3E0A1C4 -bxor 607
2⤵
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x3E65BF4C -bxor 607
2⤵
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x1A53C105 -bxor 607
2⤵
PID:600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0xB033195B -bxor 607
2⤵
PID:1448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x6C30A71 -bxor 607
2⤵
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe 0x -bxor 607
2⤵
PID:1440

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c6d86432e6b987ddd3291f68469a4b1c

SHA1
9044b98cc493cc23e1f217db5fe171ef5d72d4ef

SHA256
0a3d29df7a2a30f3a308751ab40e58c2e26e74607e4f9f0472126f92a114861e

SHA512
cbd9d9fe01850629357a36f5764e75203a64bed9816c985b094ce44db17c1404ebc55a042b8713931e83c41f5ac3c764dfe88a5120ef59e8a82e8494a3cdcbbc

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFB80.tmp\nsExec.dll
Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
memory/328-122-0x0000000000000000-mapping.dmp

Download
memory/328-125-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/340-85-0x0000000000000000-mapping.dmp

Download
memory/340-88-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/368-238-0x0000000000000000-mapping.dmp

Download
memory/368-240-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/524-259-0x0000000000000000-mapping.dmp

Download
memory/524-261-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/620-249-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/620-247-0x0000000000000000-mapping.dmp

Download
memory/644-182-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/644-180-0x0000000000000000-mapping.dmp

Download
memory/684-213-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/684-211-0x0000000000000000-mapping.dmp

Download
memory/692-292-0x0000000000000000-mapping.dmp

Download
memory/692-192-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/692-191-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/692-189-0x0000000000000000-mapping.dmp

Download
memory/744-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/752-244-0x0000000000000000-mapping.dmp

Download
memory/752-246-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/776-282-0x0000000000000000-mapping.dmp

Download
memory/824-255-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/824-253-0x0000000000000000-mapping.dmp

Download
memory/832-130-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/832-127-0x0000000000000000-mapping.dmp

Download
memory/836-76-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/836-73-0x0000000000000000-mapping.dmp

Download
memory/888-264-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/888-265-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/888-262-0x0000000000000000-mapping.dmp

Download
memory/908-250-0x0000000000000000-mapping.dmp

Download
memory/908-252-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/944-176-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/944-172-0x0000000000000000-mapping.dmp

Download
memory/944-175-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/976-266-0x0000000000000000-mapping.dmp

Download
memory/976-268-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-83-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-78-0x0000000000000000-mapping.dmp

Download
memory/1008-82-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-295-0x0000000000000000-mapping.dmp

Download
memory/1092-217-0x0000000000000000-mapping.dmp

Download
memory/1092-219-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1104-220-0x0000000000000000-mapping.dmp

Download
memory/1104-222-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-150-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-147-0x0000000000000000-mapping.dmp

Download
memory/1208-258-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1208-256-0x0000000000000000-mapping.dmp

Download
memory/1280-279-0x0000000000000000-mapping.dmp

Download
memory/1396-165-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-162-0x0000000000000000-mapping.dmp

Download
memory/1408-193-0x0000000000000000-mapping.dmp

Download
memory/1408-195-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-90-0x0000000000000000-mapping.dmp

Download
memory/1408-93-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1424-183-0x0000000000000000-mapping.dmp

Download
memory/1424-185-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1432-135-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1432-132-0x0000000000000000-mapping.dmp

Download
memory/1448-231-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-229-0x0000000000000000-mapping.dmp

Download
memory/1456-111-0x0000000000000000-mapping.dmp

Download
memory/1456-115-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-188-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-186-0x0000000000000000-mapping.dmp

Download
memory/1500-167-0x0000000000000000-mapping.dmp

Download
memory/1500-170-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-155-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-152-0x0000000000000000-mapping.dmp

Download
memory/1524-117-0x0000000000000000-mapping.dmp

Download
memory/1524-120-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-205-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-234-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-203-0x0000000000000000-mapping.dmp

Download
memory/1612-206-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-232-0x0000000000000000-mapping.dmp

Download
memory/1616-95-0x0000000000000000-mapping.dmp

Download
memory/1616-98-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-99-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-157-0x0000000000000000-mapping.dmp

Download
memory/1620-288-0x0000000000000000-mapping.dmp

Download
memory/1620-160-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-269-0x0000000000000000-mapping.dmp

Download
memory/1644-271-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-285-0x0000000000000000-mapping.dmp

Download
memory/1664-223-0x0000000000000000-mapping.dmp

Download
memory/1664-225-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-71-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download
memory/1704-298-0x0000000000000000-mapping.dmp

Download
memory/1724-202-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-199-0x0000000000000000-mapping.dmp

Download
memory/1724-201-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-101-0x0000000000000000-mapping.dmp

Download
memory/1732-104-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-272-0x0000000000000000-mapping.dmp

Download
memory/1824-274-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1824-275-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1824-301-0x0000000000000000-mapping.dmp

Download
memory/1868-142-0x0000000000000000-mapping.dmp

Download
memory/1868-210-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-145-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-57-0x0000000000000000-mapping.dmp

Download
memory/1936-59-0x0000000073D30000-0x00000000742DB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-60-0x0000000073D30000-0x00000000742DB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-109-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-106-0x0000000000000000-mapping.dmp

Download
memory/1984-228-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-304-0x0000000000000000-mapping.dmp

Download
memory/1984-226-0x0000000000000000-mapping.dmp

Download
memory/1996-237-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-207-0x0000000000000000-mapping.dmp

Download
memory/1996-209-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-235-0x0000000000000000-mapping.dmp

Download
memory/2016-241-0x0000000000000000-mapping.dmp

Download
memory/2016-214-0x0000000000000000-mapping.dmp

Download
memory/2016-216-0x0000000073CF0000-0x000000007429B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-243-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-276-0x0000000000000000-mapping.dmp

Download
memory/2032-196-0x0000000000000000-mapping.dmp

Download
memory/2032-198-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-177-0x0000000000000000-mapping.dmp

Download
memory/2036-179-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-137-0x0000000000000000-mapping.dmp

Download
memory/2040-140-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-62-0x0000000000000000-mapping.dmp

Download
memory/2044-65-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads