Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    1199s
  • max time network
    1199s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-04-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 18 IoCs
    evasion
  • Executes dropped EXE 8 IoCs
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:428
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:4932
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:2640
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:2296
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
            PID:2760
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            3⤵
            • Modifies Windows Firewall
            PID:1860
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            3⤵
            • Modifies Windows Firewall
            PID:4364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:708
          • C:\Users\Admin\AppData\Local\Temp\~tl3C5.tmp
            C:\Users\Admin\AppData\Local\Temp\~tl3C5.tmp
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:596
            • C:\Windows\SYSTEM32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              4⤵
                PID:1832
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:2620
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:8
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4532
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3700
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /TN "Timer"
                4⤵
                  PID:4496
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                  4⤵
                  • Creates scheduled task(s)
                  PID:1404
                • C:\Windows\System\svchost.exe
                  "C:\Windows\System\svchost.exe" formal
                  4⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1592
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    5⤵
                      PID:3312
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      5⤵
                      • Modifies Windows Firewall
                      PID:4848
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      5⤵
                      • Modifies Windows Firewall
                      PID:824
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1164
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:216
                    • C:\Users\Admin\AppData\Local\Temp\~tlDBB6.tmp
                      C:\Users\Admin\AppData\Local\Temp\~tlDBB6.tmp
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4916
                      • C:\Windows\SYSTEM32\netsh.exe
                        netsh int ipv4 set dynamicport tcp start=1025 num=64511
                        6⤵
                          PID:2204
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          6⤵
                          • Modifies Windows Firewall
                          PID:1876
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          6⤵
                          • Modifies Windows Firewall
                          PID:3080
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                          6⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1888
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                          6⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4276
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:1532
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  2⤵
                  • Modifies data under HKEY_USERS
                  PID:4672
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:348
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:3612
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1104
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1468
                • C:\Windows\TEMP\~tlAB32.tmp
                  C:\Windows\TEMP\~tlAB32.tmp
                  2⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3228
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    3⤵
                      PID:5112
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      PID:60
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      • Modifies data under HKEY_USERS
                      PID:2032
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2888
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      PID:32
                • \??\c:\windows\system\svchost.exe
                  c:\windows\system\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3712
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    2⤵
                    • Modifies data under HKEY_USERS
                    PID:3376
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:1824
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    • Modifies data under HKEY_USERS
                    PID:4604
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4412
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4532
                  • C:\Windows\TEMP\~tlD6C9.tmp
                    C:\Windows\TEMP\~tlD6C9.tmp
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    PID:1368
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      3⤵
                        PID:4960
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:1596
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:4192
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:380
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:1140

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    cd5b15b46b9fe0d89c2b8d351c303d2a

                    SHA1

                    e1d30a8f98585e20c709732c013e926c7078a3c2

                    SHA256

                    0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

                    SHA512

                    d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    41ee1edecbe7d06d72ee993f1e644f71

                    SHA1

                    20055e4fbe36c8ca6580ddc98db4bf9c8c3dec90

                    SHA256

                    217bcc3258cdac08cc7a561ae333c6f83c21aa77d6a263b8759f3366a1dbf55f

                    SHA512

                    8bd0d28972c4524a25e5e15d40a9a0fe54c115b72fae6ae4cf9a64b6006a657d7a52091cbca91821a917078a601137c0cc7d84b994a3715cf167b509a156dec9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    866acb5d5132762235d10d5ee28bd7ba

                    SHA1

                    851ef33390119d3a58e0afac256fba9bc08c6e5f

                    SHA256

                    0279c440bb6b1c162badac03e7cc21b9ceee3509f09c20cb84c7a2b009b1fc92

                    SHA512

                    59c5d9809f74e07e5a4531b05b40ce85c3d0de3c75660401a4735f424ec06ac84717eb135a3bfa7619b16f48f521b783facf9284c6a37ee7534b81c6a75574b3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    7808a889ebee64dfc13020f31517e3d0

                    SHA1

                    dc43543d5ec1e3656769e3daa92979da1120876c

                    SHA256

                    b58767c57927fca49b903a16fa52143d2011600f7fa7902a1c00346f96029090

                    SHA512

                    e85ed3f4a86a60d71aa5fd95b3c5116ffb2ac1250b01e950f94695eab5ed3de0129f6ad28ea07bc62df2283907346f3adc273ee3fc8f1be76b2437a4653de3da

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    63c374e7af09e7b366a22f592b825da1

                    SHA1

                    f4b734b8c96082b74b99c4906eeed9df894f18e6

                    SHA256

                    798e89044c7f1438757fc15f934d4b927c70cefe8961f4310d0fd0e15bb7aae9

                    SHA512

                    8d786f34f1a062cbe4ec13f2a9139c7ce102207917807c3057b44dcb47ee9e3c1c4366ff6a9fbe4ccc9ddbbe431e4d67bd700783e8767e3545db19ae2003eeab

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    192B

                    MD5

                    83aab16b68903d03a7abd3943d473f75

                    SHA1

                    acebede95f0f78ac6d4c5099cfb63e9252ab83e6

                    SHA256

                    b6124656aec39cdcecce4c3e4180cc4062efb2c689a5be104435db2696b66fe0

                    SHA512

                    7b65e4bf5491f85944379d0d29bbb6d6b22bf238c0e48d76d8b2e09d3d0cc2382a38ab34eba5dbfe2e04bdb5c71ad27f84e39b5c50f28ab18e6d5fc304b3f2b8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zynh0g3.vev.ps1
                    Filesize

                    1B

                    MD5

                    c4ca4238a0b923820dcc509a6f75849b

                    SHA1

                    356a192b7913b04c54574d18c28d46e6395428ab

                    SHA256

                    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                    SHA512

                    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\~tl3C5.tmp
                    Filesize

                    385KB

                    MD5

                    e802c96760e48c5139995ffb2d891f90

                    SHA1

                    bba3d278c0eb1094a26e5d2f4c099ad685371578

                    SHA256

                    cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                    SHA512

                    97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\~tlDBB6.tmp
                    Filesize

                    393KB

                    MD5

                    9dbdd43a2e0b032604943c252eaf634a

                    SHA1

                    9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                    SHA256

                    33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                    SHA512

                    b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                    Filesize

                    2.7MB

                    MD5

                    27acfbf94480631e547b5cb508d9d4fb

                    SHA1

                    f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

                    SHA256

                    0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

                    SHA512

                    902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                    Filesize

                    5.8MB

                    MD5

                    c54b2945a090d9bf6d2b736f04c283f9

                    SHA1

                    ffffaa477541c137c130287468d3dae1e6998317

                    SHA256

                    8cafc156d505e89ac0dad75c03f5ba47e45528ced7916dbc76651c955aa0e2a0

                    SHA512

                    a076a2d214dd246083259c7ca7564274c47fdd05f5f171988558ceba03530b798596c996519ab5b99fb89ff105c546f660774c9f82b680913381bd80c83521f7

                    Download Submit

                  • C:\Windows\System\svchost.exe
                    Filesize

                    5.2MB

                    MD5

                    5fd3d21a968f4b8a1577b5405ab1c36a

                    SHA1

                    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

                    SHA256

                    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

                    SHA512

                    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    3KB

                    MD5

                    478f1c1fcff584f4f440469ed71d2d43

                    SHA1

                    0900e9dc39580d527c145715f985a5a86e80b66c

                    SHA256

                    c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

                    SHA512

                    4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    192B

                    MD5

                    8bf8b0fb6b8f51b348062b490a2e33f1

                    SHA1

                    cc915be2a41ba8b5595f6d7d0c5a6a74ee7e12fa

                    SHA256

                    aa367d7048ef175a9227110d06687ddb7c7e942120a9f1c66dbf0aee6ad9206e

                    SHA512

                    e444f0ee338d63a7517dde840c501dcd8329492b523ff1a2616017a91437b872f2f5ba9bd37cb5da7a8ea064c743055b30256df8699b039109c6a2afaccf8ec4

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    2ebfea138c6fbedeb0e321cb822beaac

                    SHA1

                    b104a3cb9f8e5e29408e294f5c1f061ebfa03d10

                    SHA256

                    073456914fa4666530cfd4be0bcbbf9f551b324057152b4589e41b038a868297

                    SHA512

                    77f59acdeffec3c48ae0778445ef141e7e7710642ad55f58fb0830d28e2156e7236ebc2a9b4ba11a608581cfa3d13de70d40c8e27b07731a23d8becfab91f78e

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    94a4b127067d09a42a41068adfc3ab4e

                    SHA1

                    4bfde257ae5c1f2f1832c20100be264d54085292

                    SHA256

                    78d2564b3d69be6c2174111e5d99e509f2246643cebd603236b055d6e45ae054

                    SHA512

                    830e9503ca5997d717ae03b864c4d59142a8690bf0e178e2c358c1f2c37b8dafb49697c50e81597e56bff6c3b670fed7284c9bdfde7a4a55794c49d92c461c8d

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    719B

                    MD5

                    0f8f527dc9b7a096903fee037bb3770a

                    SHA1

                    5cc8237f7c6342b1103d4d89a4c256c09e95f62c

                    SHA256

                    6166410bdbd5b0a1b0924a8e46fd2a0379156d9e5383930a93a32002bb61f476

                    SHA512

                    b386815c5a8938b7f5721861832432d2febfffd2937b89ec48b2fe6680f788cdecf623fdc0a471dd1cd231583d3464e077f79199c2c46efbf9cfb3fd8aa5d6ba

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    64B

                    MD5

                    98fd0b040f103993ebdb8b784dcd68fb

                    SHA1

                    a492f69939fc31bfd809a8fcd7d760c515048f30

                    SHA256

                    d110d8a4d161a3f515e18d2cc470e0cb05b8807562e42b0506da701ccd1ad8f1

                    SHA512

                    b9861aa65ae6d2eeb1019bf9c6f79dbf4691e32cfb02b63de005243b20d40caab7992a0d0a50aa3f49e5d56c18246ca541e570f52bdcca610111fd4c0c0b644d

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    631f4b3792b263fdda6b265e93be4747

                    SHA1

                    1d6916097d419198bfdf78530d59d0d9f3e12d45

                    SHA256

                    4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

                    SHA512

                    e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

                    Download Submit

                  • memory/216-397-0x000001944DA30000-0x000001944DA40000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/216-448-0x000001944DA30000-0x000001944DA40000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/216-393-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/216-398-0x000001944DA30000-0x000001944DA40000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/216-485-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/216-480-0x000001944DA30000-0x000001944DA40000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/432-216-0x0000000036B60000-0x0000000037042000-memory.dmp

                    Filesize

                    4.9MB

                    Download

                  • memory/432-128-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/432-111-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/432-268-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/596-270-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/596-266-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/596-269-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/596-271-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/596-382-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/708-123-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/708-210-0x000002345F120000-0x000002345F130000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/708-174-0x000002345F120000-0x000002345F130000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/708-130-0x000002345F120000-0x000002345F130000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/708-129-0x000002345F120000-0x000002345F130000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/708-215-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1164-415-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1164-390-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1164-389-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1164-386-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1164-468-0x000001DD7B480000-0x000001DD7B490000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1164-481-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1476-18-0x0000024651370000-0x0000024651380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1476-14-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1476-17-0x0000024651370000-0x0000024651380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1476-96-0x0000024651370000-0x0000024651380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1476-105-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1476-48-0x0000024651370000-0x0000024651380000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1532-620-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1532-942-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1532-950-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1592-494-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1592-381-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1592-383-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1832-118-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-119-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-144-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-196-0x0000024DF0E00000-0x0000024DF0E10000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-211-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1832-115-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1888-505-0x0000021E65E50000-0x0000021E65E60000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1888-502-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1888-504-0x0000021E65E50000-0x0000021E65E60000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3228-954-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/3228-1270-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/3700-364-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3700-372-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/3700-284-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3700-283-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/3700-321-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3700-285-0x0000018EF9750000-0x0000018EF9760000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4204-6-0x000002C658DE0000-0x000002C658DF0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4204-7-0x000002C658DE0000-0x000002C658DF0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4204-8-0x000002C658D90000-0x000002C658DB2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/4204-104-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4204-5-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4204-45-0x000002C658DE0000-0x000002C658DF0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4204-19-0x000002C659070000-0x000002C6590E6000-memory.dmp

                    Filesize

                    472KB

                    Download

                  • memory/4208-0-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4208-12-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4208-112-0x0000000140000000-0x0000000140636000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/4276-510-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4276-514-0x0000024155A90000-0x0000024155AA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4532-277-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4532-315-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4532-278-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4532-366-0x00000263ECF80000-0x00000263ECF90000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4532-274-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4532-373-0x00007FF833CC0000-0x00007FF8346AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/4916-602-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4916-498-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4916-497-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4916-496-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4916-495-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4916-493-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download