Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64e589ec7b...ab.exe

windows10-2004-x64

8

64e589ec7b...ab.exe

windows7-x64

8

64e589ec7b...ab.exe

windows10-1703-x64

8

64e589ec7b...ab.exe

windows10-2004-x64

8

64e589ec7b...ab.exe

windows11-21h2-x64

1

Resubmissions

17/04/2024, 12:37

240417-pths4afc45 8

17/04/2024, 12:37

240417-ptg7kafc43 8

17/04/2024, 12:36

240417-ptcbbafc34 8

17/04/2024, 12:36

240417-ptbpsafc29 8

17/04/2024, 12:36

240417-pta39afc28 8

16/04/2024, 13:44

240416-q1vxnsda7z 8

Analysis

  • max time kernel
    1198s
  • max time network
    1203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

  • Size

    5.3MB

  • MD5

    63552c60caeefe5f2d0e4028b3cc65d3

  • SHA1

    dbed3040d53495a6afda01bfb8399376792eb48c

  • SHA256

    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

  • SHA512

    caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

  • SSDEEP

    98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 14 IoCs
    evasion
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
    "C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5036
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
      2⤵
      • Creates scheduled task(s)
      PID:3924
    • C:\Windows\System\svchost.exe
      "C:\Windows\System\svchost.exe" formal
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5108
      • C:\Users\Admin\AppData\Local\Temp\~tl1E4C.tmp
        C:\Users\Admin\AppData\Local\Temp\~tl1E4C.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\SYSTEM32\netsh.exe
          netsh int ipv4 set dynamicport tcp start=1025 num=64511
          4⤵
            PID:4360
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4664
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:4212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3316
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /TN "Timer"
            4⤵
              PID:2396
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
              4⤵
              • Creates scheduled task(s)
              PID:5116
            • C:\Windows\System\svchost.exe
              "C:\Windows\System\svchost.exe" formal
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4752
              • C:\Windows\SYSTEM32\netsh.exe
                netsh int ipv4 set dynamicport tcp start=1025 num=64511
                5⤵
                  PID:4712
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:1292
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  5⤵
                  • Modifies Windows Firewall
                  PID:2384
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4936
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4316
                • C:\Users\Admin\AppData\Local\Temp\~tlE78.tmp
                  C:\Users\Admin\AppData\Local\Temp\~tlE78.tmp
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2148
                  • C:\Windows\SYSTEM32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    6⤵
                      PID:4568
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:764
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                      6⤵
                      • Modifies Windows Firewall
                      PID:440
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1988
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1328
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\system32\netsh.exe
              netsh int ipv4 set dynamicport tcp start=1025 num=64511
              2⤵
                PID:4736
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:1776
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:4948
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4416
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3376
              • C:\Windows\TEMP\~tlA2A6.tmp
                C:\Windows\TEMP\~tlA2A6.tmp
                2⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:4196
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                    PID:4960
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:4656
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    3⤵
                    • Modifies Windows Firewall
                    PID:1056
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3612
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:228
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:4412
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  2⤵
                    PID:2816
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:4580
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    2⤵
                    • Modifies Windows Firewall
                    PID:3672
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3796
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    2⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4084
                  • C:\Windows\TEMP\~tl5F7.tmp
                    C:\Windows\TEMP\~tl5F7.tmp
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:668
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      3⤵
                        PID:2212
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:4436
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        3⤵
                        • Modifies Windows Firewall
                        PID:4940
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4324
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        3⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4480

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    22310ad6749d8cc38284aa616efcd100

                    SHA1

                    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                    SHA256

                    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                    SHA512

                    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    5cfe303e798d1cc6c1dab341e7265c15

                    SHA1

                    cd2834e05191a24e28a100f3f8114d5a7708dc7c

                    SHA256

                    c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

                    SHA512

                    ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    856B

                    MD5

                    a65612a866ee814cd47e41fd00e8951a

                    SHA1

                    b646f16a39d2edc6c3d20755abea9dcc43b5a576

                    SHA256

                    9dda6f82e1d9bac0941563c1261fcf94b84c6132f76c790ab5c07646bcc2a278

                    SHA512

                    e3411ab250651426e5067250b483b4f2bb792bb72ca530b6895493dcc03309ee9b0f7917341ee51daecec5794c00c1d74762238e8c5d8d261b674041ffd8dae9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    77d622bb1a5b250869a3238b9bc1402b

                    SHA1

                    d47f4003c2554b9dfc4c16f22460b331886b191b

                    SHA256

                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                    SHA512

                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    19e1e2a79d89d1a806d9f998551c82a8

                    SHA1

                    3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd

                    SHA256

                    210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc

                    SHA512

                    da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdo4oqm2.xjm.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\~tl1E4C.tmp
                    Filesize

                    385KB

                    MD5

                    e802c96760e48c5139995ffb2d891f90

                    SHA1

                    bba3d278c0eb1094a26e5d2f4c099ad685371578

                    SHA256

                    cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

                    SHA512

                    97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\~tlE78.tmp
                    Filesize

                    393KB

                    MD5

                    9dbdd43a2e0b032604943c252eaf634a

                    SHA1

                    9584dc66f3c1cce4210fdf827a1b4e2bb22263af

                    SHA256

                    33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

                    SHA512

                    b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                    Filesize

                    2.6MB

                    MD5

                    e7634067c1219da664e2c13a622988bf

                    SHA1

                    b354b3912ec59fefecdaa660af50c679b136b6ca

                    SHA256

                    e1f51b61149b811c5029caaa39ddf54faa18fcd18bbcf432155ad324fbc0fdb7

                    SHA512

                    b61ea1448ec13e88c66e043c0f99d95a2626e631841bec0b0e2e1dd6cbbcb8f8587d414f3ad32794ccdadf7c763910ed844220684f3edc71109f47fe4353c944

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                    Filesize

                    9.7MB

                    MD5

                    eafa08a2d611f8e885f66c691da897ea

                    SHA1

                    ecbf8f79f8137ea9c74e3d8b7ca613ed52f5a090

                    SHA256

                    03b45c822c1656817b7096f88cb11821c81cf4d6edc971a2eca4716f93d21adb

                    SHA512

                    33cecf6ab0b0ffe2e902e41b9a5740fdd4a702357f146c69539f8b2ee83376d228a2fd759cb6f1185d27405a6d8db8f5c53bfdec26563009131e06922a48634b

                    Download Submit

                  • C:\Windows\System\svchost.exe
                    Filesize

                    5.3MB

                    MD5

                    63552c60caeefe5f2d0e4028b3cc65d3

                    SHA1

                    dbed3040d53495a6afda01bfb8399376792eb48c

                    SHA256

                    64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

                    SHA512

                    caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    4KB

                    MD5

                    bdb25c22d14ec917e30faf353826c5de

                    SHA1

                    6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                    SHA256

                    e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                    SHA512

                    b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    b42c70c1dbf0d1d477ec86902db9e986

                    SHA1

                    1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                    SHA256

                    8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                    SHA512

                    57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    85ca93b08bad760e13d768f9f5245bd1

                    SHA1

                    83dbd61979fe8692414d9b08f317eb434741da18

                    SHA256

                    aac5eca1bdba9df6ac0957e8208cf925be6c4f10cf23b31a4f3530b3b6de9c63

                    SHA512

                    65876b5ee23cb19b5c18edb3ae7025017f3b485685a828a0076117e3eee8f8c116b123ff00cd8c3068ed12797d6571995d54c9e2d84a3523a0519132c026b904

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    d1332a06490889a6119649eb6f5f5f76

                    SHA1

                    3032c20433f1e62b7cc8a3da38965fd01a713bdb

                    SHA256

                    fd0ce0c21ed4c7b4c4fc72d339ef6502d7ba7deae66294c00827234ad410c62c

                    SHA512

                    9e99fcea4ab2fc5c77bce739ef8a3b03ef837c1d5e32263d12b3cceaddf36c976b08eb0e1fb21c6a77bf7e571da4aecc3ec3ca5208b9284cd76be2b1cff57c95

                    Download Submit

                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    119B

                    MD5

                    ee92473bc7cc5ddfdb7cb9b74b31525b

                    SHA1

                    cf70581afa5aca1b1b27b350b91d30f8617c34e7

                    SHA256

                    2f27a98fd67ad592785c53fe8ad60f16cdbe76a60bc668fef6758d5cc74b2de5

                    SHA512

                    626107734fc418c960609aa019230dab6296eff2af8dfd0fedde3de687c049a090b37e6d65b30757bae712e3216424a73dcc60a9e417bfee04fdf5c1fe4d1471

                    Download Submit

                  • memory/888-6-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/888-49-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/888-0-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/888-5-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/888-3-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/888-4-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/956-54-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/956-140-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/956-132-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/956-102-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/956-87-0x0000000015540000-0x0000000015A3C000-memory.dmp

                    Filesize

                    5.0MB

                    Download

                  • memory/956-127-0x0000000140000000-0x0000000140644400-memory.dmp

                    Filesize

                    6.3MB

                    Download

                  • memory/1292-30-0x000001B8D9440000-0x000001B8D9450000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1292-38-0x00007FFCEDEE0000-0x00007FFCEE9A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1292-29-0x000001B8D9440000-0x000001B8D9450000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1292-28-0x00007FFCEDEE0000-0x00007FFCEE9A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1328-246-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1328-261-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1492-290-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1492-294-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1544-187-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1544-144-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1544-139-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1544-142-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1544-143-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1832-64-0x00007FFCED760000-0x00007FFCEE221000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1832-81-0x00000196669B0000-0x00000196669C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-65-0x00000196669B0000-0x00000196669C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-76-0x00000196669B0000-0x00000196669C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1832-86-0x00007FFCED760000-0x00007FFCEE221000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1988-258-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1988-256-0x000001BE4D2B0000-0x000001BE4D2C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1988-235-0x000001BE4D2B0000-0x000001BE4D2C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1988-234-0x000001BE4D2B0000-0x000001BE4D2C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1988-233-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2148-232-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2148-227-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2148-264-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2148-263-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2148-231-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2148-230-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2148-229-0x0000000140000000-0x0000000140170400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/2660-151-0x0000025BD9880000-0x0000025BD9890000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2660-169-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/2660-145-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3316-158-0x0000028E39660000-0x0000028E39670000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3316-157-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3316-172-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3376-342-0x000002637EBE0000-0x000002637EBFC000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/3376-341-0x000002637EAF0000-0x000002637EAFA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3376-327-0x000002631A630000-0x000002631A64C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/3376-316-0x00007FFCEE9A0000-0x00007FFCEF461000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3376-317-0x000002637EAD0000-0x000002637EAE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3376-328-0x000002631A650000-0x000002631A705000-memory.dmp

                    Filesize

                    724KB

                    Download

                  • memory/3376-343-0x000002637EB00000-0x000002637EB0A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3376-338-0x000002637EAD0000-0x000002637EAE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4316-215-0x000001B9ECF90000-0x000001B9ECFA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4316-203-0x000001B9ECF90000-0x000001B9ECFA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4316-202-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4316-218-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4416-295-0x00007FFCEE9A0000-0x00007FFCEF461000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4416-297-0x0000022749B50000-0x0000022749B60000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4416-340-0x0000022749B50000-0x0000022749B60000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4416-296-0x0000022749B50000-0x0000022749B60000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4416-339-0x00007FF4BE240000-0x00007FF4BE250000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4752-185-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4752-188-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4752-220-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4752-228-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4752-184-0x0000000140000000-0x000000014015E400-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/4936-201-0x0000025B36470000-0x0000025B36480000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4936-199-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4936-200-0x0000025B36470000-0x0000025B36480000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4936-214-0x00007FFCEE2E0000-0x00007FFCEEDA1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5036-37-0x00007FFCEDEE0000-0x00007FFCEE9A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5036-16-0x000002C7576E0000-0x000002C757702000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/5036-17-0x00007FFCEDEE0000-0x00007FFCEE9A1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5036-18-0x000002C757720000-0x000002C757730000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5036-31-0x000002C757720000-0x000002C757730000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5108-85-0x00007FFCED760000-0x00007FFCEE221000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5108-75-0x00007FFCED760000-0x00007FFCEE221000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5108-77-0x00000212A7EB0000-0x00000212A7EC0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5108-78-0x00000212A7EB0000-0x00000212A7EC0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/5108-80-0x00000212A7EB0000-0x00000212A7EC0000-memory.dmp

                    Filesize

                    64KB

                    Download