Malware Analysis Report

2024-11-13 15:39

Sample ID 220815-tk8qdaffh2
Target ed2d7b25bb360cccb4f0f6a4f8732d7a.exe
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092

Threat Level: Known bad

The file ed2d7b25bb360cccb4f0f6a4f8732d7a.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-15 16:08

Signatures

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 16:08

Reported

2022-08-15 16:10

Platform

win7-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winrecsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1090022205.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\winrecsv.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe

"C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\1090022205.exe

C:\Users\Admin\AppData\Local\Temp\1090022205.exe

Network

Country Destination Domain Proto
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
RU 79.111.44.114:40500 tcp
IR 151.242.96.55:40500 udp
IR 2.184.20.116:40500 udp

Files

memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

memory/1972-55-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Temp\1090022205.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/1816-60-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\1090022205.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-15 16:08

Reported

2022-08-15 16:10

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Users\Admin\winrecsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\winrecsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\winrecsv.exe" C:\Users\Admin\AppData\Local\Temp\873529329.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe N/A
File opened for modification C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe N/A
File created C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\873529329.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe C:\Windows\winrecsv.exe
PID 4064 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe C:\Windows\winrecsv.exe
PID 4064 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe C:\Windows\winrecsv.exe
PID 4024 wrote to memory of 836 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1811431440.exe
PID 4024 wrote to memory of 836 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1811431440.exe
PID 4024 wrote to memory of 836 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\1811431440.exe
PID 4024 wrote to memory of 3176 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\873529329.exe
PID 4024 wrote to memory of 3176 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\873529329.exe
PID 4024 wrote to memory of 3176 N/A C:\Windows\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\873529329.exe
PID 3176 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\873529329.exe C:\Users\Admin\winrecsv.exe
PID 3176 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\873529329.exe C:\Users\Admin\winrecsv.exe
PID 3176 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\873529329.exe C:\Users\Admin\winrecsv.exe
PID 4424 wrote to memory of 5072 N/A C:\Users\Admin\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\255594601.exe
PID 4424 wrote to memory of 5072 N/A C:\Users\Admin\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\255594601.exe
PID 4424 wrote to memory of 5072 N/A C:\Users\Admin\winrecsv.exe C:\Users\Admin\AppData\Local\Temp\255594601.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe

"C:\Users\Admin\AppData\Local\Temp\ed2d7b25bb360cccb4f0f6a4f8732d7a.exe"

C:\Windows\winrecsv.exe

C:\Windows\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\1811431440.exe

C:\Users\Admin\AppData\Local\Temp\1811431440.exe

C:\Users\Admin\AppData\Local\Temp\873529329.exe

C:\Users\Admin\AppData\Local\Temp\873529329.exe

C:\Users\Admin\winrecsv.exe

C:\Users\Admin\winrecsv.exe

C:\Users\Admin\AppData\Local\Temp\255594601.exe

C:\Users\Admin\AppData\Local\Temp\255594601.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
FR 40.79.141.152:443 tcp
IR 188.159.115.144:40500 udp
ID 36.92.14.67:40500 tcp
IR 80.210.24.47:40500 udp
RU 5.139.121.150:40500 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
AO 154.118.198.100:40500 udp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 93.184.220.29:80 tcp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 69.67.151.104:40500 tcp
IR 89.219.197.206:40500 udp
RU 46.61.79.82:40500 udp
IR 89.144.178.125:40500 udp
PK 39.51.247.98:40500 udp
IR 91.98.117.42:40500 udp
IR 2.178.82.108:40500 udp
KZ 37.151.162.99:40500 tcp
EG 197.161.138.81:40500 udp
UZ 213.230.90.158:40500 udp
KZ 84.240.255.178:40500 udp
MX 187.169.193.50:40500 udp
RU 176.214.159.239:40500 udp
VE 186.88.215.74:40500 tcp
YE 134.35.251.82:40500 udp
MX 189.144.79.176:40500 udp
UZ 213.230.120.141:40500 udp
UZ 213.230.97.218:40500 udp
IR 151.234.39.21:40500 udp

Files

memory/4024-132-0x0000000000000000-mapping.dmp

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Windows\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/836-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1811431440.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\1811431440.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/3176-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\873529329.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Temp\873529329.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

memory/4424-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\winrecsv.exe

MD5 ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA1 6ffcc083956c5ac19826bdd87e12f87817ee837c
SHA256 22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA512 6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZU0QPHDB\1[1]

MD5 9e2f163c15ee457be1f51981985570a1
SHA1 4a191e6da4a85b915f285e758d0789d2ede3aff1
SHA256 c7de55ddd548f4f268979e1f0c70ab0edb2566c0ce46b921ea281e1570abad82
SHA512 4b3eae4a1df79ac8805f46d32daecdb54028d160a5056679d4478c08e7f8ff42df5f84f4b1fe2cb8b5f3574eae5b18a94ad865edfc4d314a51118316c907967d

C:\Users\Admin\AppData\Local\Temp\255594601.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/5072-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\255594601.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\tncmds.dat

MD5 736696f9732537ccfd22f6cbad731f13
SHA1 70257e67b17b634464320a3f0d78a4fed92cfc00
SHA256 80bf82ec8153367a76a9622ff0142eb8bf8190a99b808065c6a005d6acd8194a
SHA512 ec72199a9684e039cc4cb75c63fe434aecf3fda755f4d6c5945cbb499336b1c716d0984e7f6d4b374d51c02675a4a89a268d268c4f68cb19efc0c8a7ded074e5

C:\Users\Admin\tnnodes.dat

MD5 a72ad0ec1a394454c6c2654f0e291487
SHA1 9d0c5570fb201977603a2e6186b91189fd6a771d
SHA256 6db70cb72592840e1e02bcb68e98b531fdfe7d3d5da7ff5f7fb07caac1f5c96b
SHA512 8ea95b75c20a491aef638e24085325394fc8c3d72b01796f877c4a19e487c556255dbba7dd000d1a9d6080bf965f50ccf0b5427ecb56cd42ce53d57630496114