Overview

overview

8

Static

static

3

tmp.exe

windows7-x64

8

tmp.exe

windows10-1703-x64

8

tmp.exe

windows10-2004-x64

8

tmp.exe

windows11-21h2-x64

1

Resubmissions

11/04/2024, 06:38

240411-hd63esha9z 8

11/04/2024, 06:37

240411-hdp4xaha9x 8

11/04/2024, 06:37

240411-hdlrgsha9w 8

11/04/2024, 06:37

240411-hdk5ysha9t 8

11/04/2024, 06:37

240411-hdkjesha9s 8

07/04/2024, 08:23

240407-kabhfsgg71 8

07/04/2024, 08:23

240407-j97t9shc64 8

07/04/2024, 08:22

240407-j93wbagg7w 8

07/04/2024, 08:22

240407-j9yatsgg7s 7

Analysis

  • max time kernel
    1199s
  • max time network
    1201s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/04/2024, 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.3MB

  • MD5

    5fe4ea367cee11e92ad4644d8ac3cef7

  • SHA1

    44faea4a352b7860a9eafca82bd3c9b054b6db29

  • SHA256

    1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

  • SHA512

    1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

  • SSDEEP

    98304:lgU5484Bq1qdguoOzv4I3KOn6Ka1uFof9Hn6sdw5yOc4:iU54mqL9zvH3qO

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Contacts a large (741) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 14 IoCs
    evasion
  • Executes dropped EXE 8 IoCs
  • Drops file in System32 directory 19 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:4672
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
      • C:\Users\Admin\AppData\Local\Temp\~tl3421.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl3421.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:2576
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4788
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:892
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:372
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:1016
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:5092
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:1372
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:2396
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:2584
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3224
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3588
                • C:\Users\Admin\AppData\Local\Temp\~tl1B2.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl1B2.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4584
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:4236
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:4540
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:4612
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:488
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4832
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
              • Modifies data under HKEY_USERS
              PID:2576
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:4368
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              • Modifies data under HKEY_USERS
              PID:1076
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:4764
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:396
            • C:\Windows\TEMP\~tlEB2E.tmp
              C:\Windows\TEMP\~tlEB2E.tmp
              2⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:4236
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                3⤵
                  PID:5088
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:4176
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:3396
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3516
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3600
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              PID:1220
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                2⤵
                  PID:2156
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:696
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:5068
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:424
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5004
                • C:\Windows\TEMP\~tl59E8.tmp
                  C:\Windows\TEMP\~tl59E8.tmp
                  2⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:3784
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    3⤵
                    • Modifies data under HKEY_USERS
                    PID:3224
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:624
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:3100
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:4544
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:1376

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                268b890dae39e430e8b127909067ed96

                SHA1

                35939515965c0693ef46e021254c3e73ea8c4a2b

                SHA256

                7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

                SHA512

                abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                4546a6f8ea6ea04bdb361e2b8d51becd

                SHA1

                b91e033b0d166514af762086a3b6071d68ad2c8e

                SHA256

                c14571be1a068649386e4cf5bac68bd74b274c7852422cc3ce05e4d4594ba15e

                SHA512

                0b86f2ae18286271eecc3db236274158478569ce8c06a1325bddea96561cf834b6b4cabac47c29d0f7a9fd88e3335db7bd6ec154c58da1620b72ebfaadf4b302

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                bc40cccfc258251d21dd5ab71395e192

                SHA1

                98d1f4c3c00241c43cc71dbd22f06183703e34a2

                SHA256

                1bbd73dc161823f32c29d97f5f7e885d5765d92cc88f99795985781c6d01fbd0

                SHA512

                2dd55969d6c1289d0220be275bd51012ad13ec61bfebde3ec71dd28abf76bb2a6c789f88e484bdeb4fffb6e2d00714124538fe52327778e397d0d8bfb1113dfb

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                548bdb51303c174f1341d64204324304

                SHA1

                6245603c1419ce0c1ea96338ccfe840a6fd6a068

                SHA256

                e5634c406da663990d6b3ab4d48d6578f86799f9b54dd3d2eadb039305081556

                SHA512

                502fca31a55bec79f12c44e9634da54e9f01fff9358d5198350fb3bbd5685b76fc8b2c2cbe56e75c2bba40dab9b6fcbaedf383603baf24494781e32318e4cda7

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                21d07258f62ce6475d2776f9a499f2a4

                SHA1

                7b771739c412aaafcb5c04ab495f527c9ed03530

                SHA256

                3218572b1b197e0f0480d3743cda35db089826107a925741f04cb508ad2c7a62

                SHA512

                df8177d6c679a51a637654449b4530e1450c65cdb12d729404130c785c7d255b8e3ec1d7bede88f5bdedb09e9bcf31879771e8ecca540c378357f840c56b529e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdgfjoso.ucg.ps1
                Filesize

                1B

                MD5

                c4ca4238a0b923820dcc509a6f75849b

                SHA1

                356a192b7913b04c54574d18c28d46e6395428ab

                SHA256

                6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                SHA512

                4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\~tl1B2.tmp
                Filesize

                393KB

                MD5

                9dbdd43a2e0b032604943c252eaf634a

                SHA1

                9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                SHA256

                33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                SHA512

                b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\~tl3421.tmp
                Filesize

                385KB

                MD5

                e802c96760e48c5139995ffb2d891f90

                SHA1

                bba3d278c0eb1094a26e5d2f4c099ad685371578

                SHA256

                cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                SHA512

                97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                Download Submit

              • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                Filesize

                2.7MB

                MD5

                c9b1dde253446b4b2bc6a0ad4d3022c2

                SHA1

                66cf356f3717f3d07a1c568c7146f9f9f14adf9f

                SHA256

                4fcc265cafab726d5e03b652e7b3fb4681a28f0dc5349825fe28b5413c96d3f3

                SHA512

                0e8f41766a67cea5d48950d0f30b5c5e1c6b7e9a5d77515e2be72d719c11bed624991c8764c7edddb0981dffd34fbd6e6e89d9ac9bd65164a14b27f21a2ce005

                Download Submit

              • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                Filesize

                7.4MB

                MD5

                bd6e39247468b93ab963b08866800998

                SHA1

                fa339ba8ffc99fb5d0c109196484652c1a9230f9

                SHA256

                4e4428327e85e0fe717cb92cc12a17ad2e476c68295bcb6ac9497c07ca5b0c2a

                SHA512

                b5ce1362d799a642080907ff36ed209bdd207c8a4d468a00925f00ac60ad1e55903c4b7ff721d2736ec901fd943df43b15a60e9efa1336113d51ec691aaf1506

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                5.3MB

                MD5

                5fe4ea367cee11e92ad4644d8ac3cef7

                SHA1

                44faea4a352b7860a9eafca82bd3c9b054b6db29

                SHA256

                1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b

                SHA512

                1c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                3KB

                MD5

                478f1c1fcff584f4f440469ed71d2d43

                SHA1

                0900e9dc39580d527c145715f985a5a86e80b66c

                SHA256

                c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

                SHA512

                4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                f7281178f164538b3d1892e9b0e0e565

                SHA1

                3f9d8b0cd9244fc0ea9f74f56b7aa363db311f35

                SHA256

                f383008a4071cea4298985d1f1f5c75c14ed427438eeffe0730a7e3459d5921b

                SHA512

                8a5c3c59720e227e75c35b09da3a9837985a33793532e9262eac47b75f130dd3ca001e802050b04873462470e47a3a81d9d317c6919e2f75cb3d35d7d7c6d2ae

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                0579a250c33eee3926c62a028de8cc5f

                SHA1

                8e1667c7d70efded97fe0195f5f6fc36517eb018

                SHA256

                9e8ef80ea50b9ddd0d3e843b0fcb6894edfab14e8133a5a79c4e88ac16ac6995

                SHA512

                a4e24c42539658705e9839685c37111a62cd5f7c08086ea30c0bb84d56d49c4e0ffedb514712f7c9bd2bf307c8be2c14fe1ea8ce481f787ff6561b0e50ee3a38

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                192B

                MD5

                ad1844e2e35d24dce3531e2093fb89b9

                SHA1

                910903e67737141d2b31da413fdb26a24d025817

                SHA256

                8c9c7a09fceb896e4c9bd46f02399404ffaacdd580334796dd7503047d30c52a

                SHA512

                49a2836a6baacad19f25d35cb0c38869063d38e40c6be37e9174bd000f9bb9a973a4d0bce7655605e6c8173ef8cdc5760f1ff3fbb8fa2d7faa5cb829fc00fbe3

                Download Submit

              • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                631f4b3792b263fdda6b265e93be4747

                SHA1

                1d6916097d419198bfdf78530d59d0d9f3e12d45

                SHA256

                4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

                SHA512

                e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

                Download Submit

              • memory/372-16-0x00000268B6D50000-0x00000268B6D60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/372-108-0x00000268B6D50000-0x00000268B6D60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/372-10-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/372-109-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/372-13-0x00000268B6D50000-0x00000268B6D60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/372-50-0x00000268B6D50000-0x00000268B6D60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/436-24-0x000001C560F30000-0x000001C560FA6000-memory.dmp

                Filesize

                472KB

                Download

              • memory/436-49-0x000001C560DA0000-0x000001C560DB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/436-19-0x000001C560D20000-0x000001C560D42000-memory.dmp

                Filesize

                136KB

                Download

              • memory/436-18-0x000001C560DA0000-0x000001C560DB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/436-17-0x000001C560DA0000-0x000001C560DB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/436-97-0x000001C560DA0000-0x000001C560DB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/436-12-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/436-101-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/488-509-0x0000019FD3A20000-0x0000019FD3A30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/488-508-0x0000019FD3A20000-0x0000019FD3A30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/488-505-0x00007FFD9C460000-0x00007FFD9CE4C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/892-288-0x000002261A270000-0x000002261A280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/892-285-0x00007FFD9C650000-0x00007FFD9D03C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/892-372-0x00007FFD9C650000-0x00007FFD9D03C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/892-366-0x000002261A270000-0x000002261A280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/892-286-0x000002261A270000-0x000002261A280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/892-339-0x000002261A270000-0x000002261A280000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1452-0-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/1452-116-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/1452-4-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/1452-1-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/1452-3-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/2428-269-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2428-274-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2428-386-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2428-273-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2428-272-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2764-626-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2764-951-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3224-390-0x00007FFD9C480000-0x00007FFD9CE6C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/3224-394-0x0000016CE8EA0000-0x0000016CE8EB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3224-483-0x00007FFD9C480000-0x00007FFD9CE6C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/3224-393-0x0000016CE8EA0000-0x0000016CE8EB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3224-418-0x0000016CE8EA0000-0x0000016CE8EB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3224-471-0x0000016CE8EA0000-0x0000016CE8EB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3300-270-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3300-222-0x0000000036B70000-0x000000003706C000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/3300-119-0x0000000140000000-0x0000000140645400-memory.dmp

                Filesize

                6.3MB

                Download

              • memory/3588-402-0x00000286DE280000-0x00000286DE290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3588-452-0x00000286DE280000-0x00000286DE290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3588-489-0x00007FFD9C480000-0x00007FFD9CE6C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/3588-401-0x00000286DE280000-0x00000286DE290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3588-485-0x00000286DE280000-0x00000286DE290000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3588-400-0x00007FFD9C480000-0x00007FFD9CE6C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/3616-124-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/3616-163-0x000001A36A6C0000-0x000001A36A6D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3616-217-0x000001A36A6C0000-0x000001A36A6D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3616-131-0x000001A36A6C0000-0x000001A36A6D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3616-221-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/3616-129-0x000001A36A6C0000-0x000001A36A6D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4180-165-0x00000167B8F10000-0x00000167B8F20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4180-133-0x00000167B8F10000-0x00000167B8F20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4180-132-0x00000167B8F10000-0x00000167B8F20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4180-211-0x00000167B8F10000-0x00000167B8F20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4180-216-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/4180-126-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/4236-956-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4236-1272-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4584-502-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4584-497-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4584-501-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4584-500-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4584-499-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4584-606-0x0000000140000000-0x0000000140170400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4620-277-0x00007FFD9C650000-0x00007FFD9D03C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/4620-280-0x00000166405C0000-0x00000166405D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-281-0x00000166405C0000-0x00000166405D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-307-0x00000166405C0000-0x00000166405D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-370-0x00000166405C0000-0x00000166405D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-376-0x00007FFD9C650000-0x00007FFD9D03C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/5092-498-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/5092-387-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/5092-384-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/5092-385-0x0000000140000000-0x000000014015E400-memory.dmp

                Filesize

                1.4MB

                Download