Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    1194s
  • max time network
    1202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 14 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:224
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:1412
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:4824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3192
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:1068
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:2068
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1372
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:4344
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:5112
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2432
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4652
        • C:\Users\Admin\AppData\Local\Temp\~tlEE22.tmp
          C:\Users\Admin\AppData\Local\Temp\~tlEE22.tmp
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:876
          • C:\Windows\SYSTEM32\netsh.exe
            netsh int ipv4 set dynamicport tcp start=1025 num=64511
            4⤵
              PID:3672
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
              4⤵
              • Modifies Windows Firewall
              PID:3656
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
              4⤵
              • Modifies Windows Firewall
              PID:1528
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4744
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /TN "Timer"
              4⤵
                PID:752
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                4⤵
                • Creates scheduled task(s)
                PID:5032
              • C:\Windows\System\svchost.exe
                "C:\Windows\System\svchost.exe" formal
                4⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1500
                • C:\Windows\SYSTEM32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  5⤵
                    PID:4884
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    5⤵
                    • Modifies Windows Firewall
                    PID:4352
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    5⤵
                    • Modifies Windows Firewall
                    PID:1644
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4656
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2920
                  • C:\Users\Admin\AppData\Local\Temp\~tlC8F1.tmp
                    C:\Users\Admin\AppData\Local\Temp\~tlC8F1.tmp
                    5⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:976
                    • C:\Windows\SYSTEM32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      6⤵
                        PID:2700
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        6⤵
                        • Modifies Windows Firewall
                        PID:2440
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        6⤵
                        • Modifies Windows Firewall
                        PID:2500
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1412
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1804
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:1992
              • C:\Windows\System32\Wbem\WMIC.exe
                WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
                2⤵
                  PID:4496
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:3660
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  2⤵
                    PID:2036
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:4880
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:4736
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2420
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3664
                  • C:\Windows\TEMP\~tl2962.tmp
                    C:\Windows\TEMP\~tl2962.tmp
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2012
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      3⤵
                        PID:3632
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:540
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:4204
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3860
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3496

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    993af531f0b57e8128ec273731c3a8e2

                    SHA1

                    a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

                    SHA256

                    fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

                    SHA512

                    bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    a2c8179aaa149c0b9791b73ce44c04d1

                    SHA1

                    703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

                    SHA256

                    c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

                    SHA512

                    2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    ef647504cf229a16d02de14a16241b90

                    SHA1

                    81480caca469857eb93c75d494828b81e124fda0

                    SHA256

                    47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

                    SHA512

                    a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    77d622bb1a5b250869a3238b9bc1402b

                    SHA1

                    d47f4003c2554b9dfc4c16f22460b331886b191b

                    SHA256

                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                    SHA512

                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    eb1ad317bd25b55b2bbdce8a28a74a94

                    SHA1

                    98a3978be4d10d62e7411946474579ee5bdc5ea6

                    SHA256

                    9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                    SHA512

                    d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wscclaw.s25.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\~tlC8F1.tmp
                    Filesize

                    393KB

                    MD5

                    9dbdd43a2e0b032604943c252eaf634a

                    SHA1

                    9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                    SHA256

                    33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                    SHA512

                    b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\~tlEE22.tmp
                    Filesize

                    385KB

                    MD5

                    e802c96760e48c5139995ffb2d891f90

                    SHA1

                    bba3d278c0eb1094a26e5d2f4c099ad685371578

                    SHA256

                    cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                    SHA512

                    97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                    Filesize

                    2.6MB

                    MD5

                    9bae03d3dc0f5cfd40507ee03ba5a765

                    SHA1

                    bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

                    SHA256

                    ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

                    SHA512

                    2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                    Filesize

                    6.7MB

                    MD5

                    0e228c49fdf3800585e8174010838f58

                    SHA1

                    0ded0768b2bf637720bd4f55c5095919dc9018be

                    SHA256

                    cb4ff9a8f9071d7e03b51f99cfd614f4bf5ffb65dd33cb69d86d0fa2c44766d3

                    SHA512

                    7262a61ebc0939e00f60ddd63f10c78459a343e0984600b8c0be75ea685774d5963998719097b28af33f861a789ba36d4045a6172c47f09d5be50e4cfc0b7cb0

                    Download Submit

                  • C:\Windows\System\svchost.exe
                    Filesize

                    5.2MB

                    MD5

                    5fd3d21a968f4b8a1577b5405ab1c36a

                    SHA1

                    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

                    SHA256

                    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

                    SHA512

                    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    4KB

                    MD5

                    bdb25c22d14ec917e30faf353826c5de

                    SHA1

                    6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                    SHA256

                    e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                    SHA512

                    b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    b42c70c1dbf0d1d477ec86902db9e986

                    SHA1

                    1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                    SHA256

                    8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                    SHA512

                    57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    7a22a7645143d402a64234676e82ec6d

                    SHA1

                    e52ec10a13b720abafa50d3e7efcc79153b55364

                    SHA256

                    9897ad03faf215e59eada73f29494197103f6470a08ffb52072017e6f22f9e8f

                    SHA512

                    37f8f5f8075ed684662bda94301a6b086b9be1774e4651782108879edcae20be986c5e3aef7eafdeb6cc82791ca620aeacce08574c4edb75c98ab6e681b29535

                    Download Submit

                  • memory/836-145-0x0000019599140000-0x0000019599150000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/836-146-0x0000019599140000-0x0000019599150000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/836-144-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/836-173-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/876-141-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/876-186-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/876-143-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/876-142-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/876-140-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/876-137-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/976-225-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/976-227-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/976-223-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/976-226-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/976-228-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/976-260-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1412-231-0x000002ED47FF0000-0x000002ED48000000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1412-255-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1412-230-0x000002ED47FF0000-0x000002ED48000000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1412-229-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1444-26-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/1444-44-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/1444-0-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/1500-185-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1500-187-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1500-224-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1500-184-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1804-258-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1804-252-0x000001E3A29F0000-0x000001E3A2A00000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1804-253-0x000001E3A29F0000-0x000001E3A2A00000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1804-251-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1992-125-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/1992-126-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/2012-417-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2012-361-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2420-315-0x00000167B49A0000-0x00000167B49BC000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/2420-284-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2420-285-0x0000016799FB0000-0x0000016799FC0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2420-319-0x00007FF4DE110000-0x00007FF4DE120000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2420-321-0x0000016799FB0000-0x0000016799FC0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2432-52-0x0000027140F70000-0x0000027140F80000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2432-56-0x0000027140F70000-0x0000027140F80000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2432-50-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2432-72-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2920-200-0x000001E9E7D10000-0x000001E9E7D20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2920-199-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2920-206-0x000001E9E7D10000-0x000001E9E7D20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2920-215-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3192-29-0x00000197CCC00000-0x00000197CCC10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3192-14-0x00000197CCC00000-0x00000197CCC10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3192-25-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3192-34-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3192-13-0x00000197CCC00000-0x00000197CCC10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3660-283-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/3660-281-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/3660-355-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/3660-280-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/3664-320-0x00007FF4C4B20000-0x00007FF4C4B30000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3664-300-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3664-301-0x000001EC9CF10000-0x000001EC9CF20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4236-30-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4236-11-0x00007FFB08C00000-0x00007FFB096C1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4236-12-0x000001DAB1A00000-0x000001DAB1A10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4236-1-0x000001DAB19A0000-0x000001DAB19C2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/4236-20-0x000001DAB1A00000-0x000001DAB1A10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4244-69-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4244-76-0x0000000036870000-0x0000000036D52000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/4244-43-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4244-139-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4652-59-0x000001FF7EF20000-0x000001FF7EF30000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4652-58-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4652-70-0x000001FF7EF20000-0x000001FF7EF30000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4652-75-0x00007FFB08DB0000-0x00007FFB09871000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4656-212-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4656-188-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4744-172-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4744-158-0x000002C116D20000-0x000002C116D30000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4744-157-0x00007FFB095E0000-0x00007FFB0A0A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4744-147-0x000002C116D20000-0x000002C116D30000-memory.dmp

                    Filesize

                    64KB

                    Download