Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64e589ec7b...ab.exe

windows11-21h2-x64

1

64e589ec7b...ab.exe

windows7-x64

8

64e589ec7b...ab.exe

windows10-1703-x64

8

64e589ec7b...ab.exe

windows10-2004-x64

8

64e589ec7b...ab.exe

windows11-21h2-x64

1

Resubmissions

17/04/2024, 12:37

240417-pths4afc45 8

17/04/2024, 12:37

240417-ptg7kafc43 8

17/04/2024, 12:36

240417-ptcbbafc34 8

17/04/2024, 12:36

240417-ptbpsafc29 8

17/04/2024, 12:36

240417-pta39afc28 8

16/04/2024, 13:44

240416-q1vxnsda7z 8

Analysis

  • max time kernel
    1799s
  • max time network
    1800s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/04/2024, 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

  • Size

    5.3MB

  • MD5

    63552c60caeefe5f2d0e4028b3cc65d3

  • SHA1

    dbed3040d53495a6afda01bfb8399376792eb48c

  • SHA256

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

  • SHA512

    caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

  • SSDEEP

    98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Contacts a large (505) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 18 IoCs
    evasion
  • Executes dropped EXE 11 IoCs
  • Drops file in System32 directory 30 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
    "C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:4300
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4104
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:372
      • C:\Users\Admin\AppData\Local\Temp\~tlA2C1.tmp
        C:\Users\Admin\AppData\Local\Temp\~tlA2C1.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:312
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:3396
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5104
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:4804
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:5068
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:200
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:4912
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:3172
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:1624
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3028
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1416
                • C:\Users\Admin\AppData\Local\Temp\~tl9985.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tl9985.tmp
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4356
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:4532
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:4340
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:2328
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1312
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4936
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            PID:3228
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
                PID:2296
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:1996
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                • Modifies data under HKEY_USERS
                PID:4232
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:3604
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:2444
              • C:\Windows\TEMP\~tl7792.tmp
                C:\Windows\TEMP\~tl7792.tmp
                2⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:200
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                  • Modifies data under HKEY_USERS
                  PID:4292
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:2556
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  PID:1308
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4940
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4240
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:4484
              • C:\Windows\system32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                2⤵
                  PID:4032
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  PID:1236
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  2⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:2324
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4616
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:744
                • C:\Windows\TEMP\~tlE3BC.tmp
                  C:\Windows\TEMP\~tlE3BC.tmp
                  2⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  PID:4560
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    3⤵
                      PID:2172
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      PID:3648
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      3⤵
                      • Modifies Windows Firewall
                      • Modifies data under HKEY_USERS
                      PID:2452
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:68
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:1676
                • \??\c:\windows\system\svchost.exe
                  c:\windows\system\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  PID:420
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    2⤵
                      PID:3552
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      2⤵
                      • Modifies Windows Firewall
                      PID:3000
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      2⤵
                      • Modifies Windows Firewall
                      PID:164
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      2⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:1488
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      2⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:1992
                    • C:\Windows\TEMP\~tl4CAA.tmp
                      C:\Windows\TEMP\~tl4CAA.tmp
                      2⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:3784
                      • C:\Windows\system32\netsh.exe
                        netsh int ipv4 set dynamicport tcp start=1025 num=64511
                        3⤵
                          PID:2324
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          3⤵
                          • Modifies Windows Firewall
                          PID:4712
                        • C:\Windows\System32\netsh.exe
                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                          3⤵
                          • Modifies Windows Firewall
                          PID:588
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3692
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:1056

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      3KB

                      MD5

                      ad5cd538ca58cb28ede39c108acb5785

                      SHA1

                      1ae910026f3dbe90ed025e9e96ead2b5399be877

                      SHA256

                      c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                      SHA512

                      c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      44eb8a14dedefd735305a50a1d666904

                      SHA1

                      a89421b635d6e970b6af900ff2f68247cbdd7937

                      SHA256

                      136620441772d450d1e331fe2e1bae355b71e345eecc62b730ce8b43dece33d8

                      SHA512

                      0e6d5205f6b74bf4b39169dd83b4abad0c74059d6685818f260b141d8583c650bf26f252e890370cacccf4d379b7bb367f6d7ea19077fb43ed8742dcc96ba353

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      4b75dc180343d717f51cec0896a33d47

                      SHA1

                      6e0c7f0fb7e61b567b3488f802db021d64784ac3

                      SHA256

                      ea1d9db89323293a8b8eed709e9aa25822422957fd07668468ecc83436f4c1eb

                      SHA512

                      67744d3b679e10d5082e1f7a65633ab448eb3f3260b9fe6167c56a04edc2f8445ed8a2689e4783778e141628328f2ed9f2096b63c5eafcd9b479432dd2d454cd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      a1fc1a97aa82ccd5a1e18e267bfaf7de

                      SHA1

                      a4c2ea4643b7f5c6b69ce9a710e17af3239a4763

                      SHA256

                      f8572fbaec1d29fe17bfcd7b9f977cdc83e0a5ae1008a1e8fb4278610da1a477

                      SHA512

                      6970e51a42f49577e0a5bc0c1f9d87aab128ef685b16daca1ef756dc2ef83f2f4dc5288b3424ffe040825a075e1b28c05cb59022c670f9b06c4ed008cd4c0d92

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      87ddeceb8619b9e2b0e07ef94388a032

                      SHA1

                      d6159b2f8f1761529ccf6ba9d94cabee7242cd88

                      SHA256

                      a2fec0f54881e1dc6914da63817ebfcbea5650629e5926ce7f6bf08819b144b4

                      SHA512

                      15db013663caf5999c23039c80d8ada9169b9c6cdc348a3d86362bec78c7fbb18096a99011480f070d91e5a58772723579f65301d1c161ac7284d97baaf14d87

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      a6ddd84c1fb579eaf50f4de9c0e7fbc2

                      SHA1

                      ccddd6c85ae990ab7a7f1a79462b0716f54bdb83

                      SHA256

                      d220c5c13d097cec46a0e250b138f29d407b9a5d21dd1cf8597e75ea27d16f8b

                      SHA512

                      c5ce93df83073e0f96a3f92642ab2000ef28b6b2816b2dfa3d12f6b3a5611ba54cbc03d6cd531df8e184cd4c0b6c730a5103968453a045d86f38281e18a07dec

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rinum0zz.sxb.ps1
                      Filesize

                      1B

                      MD5

                      c4ca4238a0b923820dcc509a6f75849b

                      SHA1

                      356a192b7913b04c54574d18c28d46e6395428ab

                      SHA256

                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                      SHA512

                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\~tl9985.tmp
                      Filesize

                      393KB

                      MD5

                      9dbdd43a2e0b032604943c252eaf634a

                      SHA1

                      9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                      SHA256

                      33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                      SHA512

                      b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\~tlA2C1.tmp
                      Filesize

                      385KB

                      MD5

                      e802c96760e48c5139995ffb2d891f90

                      SHA1

                      bba3d278c0eb1094a26e5d2f4c099ad685371578

                      SHA256

                      cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                      SHA512

                      97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                      Filesize

                      2.6MB

                      MD5

                      e7634067c1219da664e2c13a622988bf

                      SHA1

                      b354b3912ec59fefecdaa660af50c679b136b6ca

                      SHA256

                      e1f51b61149b811c5029caaa39ddf54faa18fcd18bbcf432155ad324fbc0fdb7

                      SHA512

                      b61ea1448ec13e88c66e043c0f99d95a2626e631841bec0b0e2e1dd6cbbcb8f8587d414f3ad32794ccdadf7c763910ed844220684f3edc71109f47fe4353c944

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                      Filesize

                      18.9MB

                      MD5

                      a94b83826ab91bac5ce5a892b0fc2ef2

                      SHA1

                      35f345875c739f561804c9e84d733cd8524ab351

                      SHA256

                      63a5d8cfa61dd2426748c2a4d8f9391471e0737c1b867a859450f9081de834b2

                      SHA512

                      e252ec4ddf68fe208133e789519206874859f109678323265495aa78bde40895a4cfc84a3ffad0c703a8c63af9fb89e38daa89a2e94de7534d01c0e3adf93c06

                      Download Submit

                    • C:\Windows\System\svchost.exe
                      Filesize

                      5.3MB

                      MD5

                      63552c60caeefe5f2d0e4028b3cc65d3

                      SHA1

                      dbed3040d53495a6afda01bfb8399376792eb48c

                      SHA256

                      64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

                      SHA512

                      caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      3KB

                      MD5

                      478f1c1fcff584f4f440469ed71d2d43

                      SHA1

                      0900e9dc39580d527c145715f985a5a86e80b66c

                      SHA256

                      c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

                      SHA512

                      4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      631f4b3792b263fdda6b265e93be4747

                      SHA1

                      1d6916097d419198bfdf78530d59d0d9f3e12d45

                      SHA256

                      4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

                      SHA512

                      e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      8f55607af68cf5be1e77aabea4e8c6fd

                      SHA1

                      60652b53a9da853a7e0253abdb81e980bb1e1215

                      SHA256

                      63a1542c4f08aba997082923e810b2658572abfcaf4421a9378cebd37f269f69

                      SHA512

                      b8b47c3d2f84a3235f17a23ab14aab4641543be0a6202c3378978f61c99d39dad97b7975fa92be03d98112dbc3e896ed9b98825f856b2911aafb31669dc3ba72

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      9bf0f856935c199ea97d309997de1331

                      SHA1

                      20b6695bd34cd56545fdd8bc65e50d07067fb0da

                      SHA256

                      e12dd8f1e347cd07762482c40948a2bc39715262be17c5e48212f8097d4dac6f

                      SHA512

                      bc878a7f71392ff8b51fd3a23c57181ec45ab8a1a79d7a74844c1d0a137159555e48f19e98dbb334e61c4424ea0a11084093a8d902c309debce5d0cc747c17b8

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      8ddb34ba2255effc4e022a2cf22cd1a8

                      SHA1

                      7129e78a2918898bf0ec1ffef05db9dcfac2d533

                      SHA256

                      5fe606fcbb29981b80cab9f739f5702d6c179e8be84e56a4cb3b1db483c96eb3

                      SHA512

                      3d32ab8d4725d69d9b4e1a921f471232177c158ed6201d92e04adfaf841a292bca44d5d9976545f528f1bd3d4ca9295cf27ab2edbc64c278e3e3d02fe767d552

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      c43c94e184507c9f3f9ad68d3833969d

                      SHA1

                      e8cc9f35667810eabf80ea703712a2268df042d2

                      SHA256

                      8bad71eabc9833e49b7c91a47aa43447f5e44eae60115cc408dadda5b666870a

                      SHA512

                      1edeb71aa0ebe29dad6960595664e801e54269eb53406f4b2a3eae735c2bf7c6cd474a590a60ba3cbfa80e1f152c0af2cfca39f52c291c10b76007f92c382806

                      Download Submit

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      192B

                      MD5

                      9f307dd390e7e31ced73b0b3a5ecc9b2

                      SHA1

                      423b72374debc8033931ca99a69af59fd03b6f3f

                      SHA256

                      a68a75bb16ddc903d447129413e030f26aa5a9cb18fd9d6033a857097263e07c

                      SHA512

                      3d2edb995b6ee8aedc8410f248a9d00d32f5bfddcae129be387b6f5ea7152b62e45d8742a525fc1bb93c961a5b4e18e810ce847a20cbf06518ecc38242e64218

                      Download Submit

                    • memory/200-568-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/200-462-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/200-446-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/200-445-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/372-137-0x000001B1FC6C0000-0x000001B1FC6D0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/372-217-0x000001B1FC6C0000-0x000001B1FC6D0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/372-169-0x000001B1FC6C0000-0x000001B1FC6D0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/372-224-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/372-133-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/512-124-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/512-260-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/512-311-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/512-226-0x0000000015540000-0x0000000015A3C000-memory.dmp

                      Filesize

                      5.0MB

                      Download

                    • memory/512-331-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/868-15-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/868-110-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/868-101-0x0000028A73700000-0x0000028A73710000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/868-56-0x0000028A73700000-0x0000028A73710000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/868-26-0x0000028A73910000-0x0000028A73986000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/868-21-0x0000028A73700000-0x0000028A73710000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/868-18-0x0000028A73700000-0x0000028A73710000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/1416-465-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/1416-466-0x000002BFDF570000-0x000002BFDF580000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/1416-557-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/1416-469-0x000002BFDF570000-0x000002BFDF580000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/1416-511-0x000002BFDF570000-0x000002BFDF580000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/1416-553-0x000002BFDF570000-0x000002BFDF580000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2180-341-0x0000016F6A8E0000-0x0000016F6A8F0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2180-367-0x0000016F6A8E0000-0x0000016F6A8F0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2180-340-0x0000016F6A8E0000-0x0000016F6A8F0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2180-436-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2180-430-0x0000016F6A8E0000-0x0000016F6A8F0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2180-338-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/3028-453-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/3028-486-0x0000028D2B710000-0x0000028D2B720000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3028-548-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/3028-457-0x0000028D2B710000-0x0000028D2B720000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3028-538-0x0000028D2B710000-0x0000028D2B720000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3028-456-0x0000028D2B710000-0x0000028D2B720000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3228-313-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3472-5-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3472-6-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3472-119-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3472-3-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3472-0-0x0000000140000000-0x0000000140644400-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3632-449-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/3632-345-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/3632-333-0x0000000140000000-0x000000014015E400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/4104-129-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/4104-135-0x00000183AB0F0000-0x00000183AB100000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4104-136-0x00000183AB0F0000-0x00000183AB100000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4104-167-0x00000183AB0F0000-0x00000183AB100000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4104-218-0x00000183AB0F0000-0x00000183AB100000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4104-225-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/4356-571-0x0000000140000000-0x0000000140170400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/4356-570-0x0000000140000000-0x0000000140170400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/4356-574-0x0000000140000000-0x0000000140170400-memory.dmp

                      Filesize

                      1.4MB

                      Download

                    • memory/4524-102-0x00000152ECDF0000-0x00000152ECE00000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4524-111-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/4524-53-0x00000152ECDF0000-0x00000152ECE00000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4524-16-0x00000152ECDF0000-0x00000152ECE00000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4524-17-0x00000152ECDF0000-0x00000152ECE00000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4524-20-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/4524-19-0x00000152ECFE0000-0x00000152ED002000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/5104-437-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/5104-428-0x00000211C5290000-0x00000211C52A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5104-387-0x00000211C5290000-0x00000211C52A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5104-352-0x00000211C5290000-0x00000211C52A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5104-351-0x00000211C5290000-0x00000211C52A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5104-349-0x00007FFE77030000-0x00007FFE77A1C000-memory.dmp

                      Filesize

                      9.9MB

                      Download