phorphiex | e9f02e616deb5c63cb19292ae6f9e8f6f6ee950f8172d1a8607256f6a210e978

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6KB
MD5

08148dca51b3f5ed007267d13f4f0f3f
SHA1

ec5a8fc25eb56de6c2fc721229ced12eb9435d6c
SHA256

e9f02e616deb5c63cb19292ae6f9e8f6f6ee950f8172d1a8607256f6a210e978
SHA512

f1f65e7455e2a52c94473e68ccbd097e2fa7b988700551cd79262d99ac545399a94238a42140386d4c7244753c01d0d9175d560ab3bd7e570742cda087bb8468
SSDEEP

96:eaYN1t761bndKyl7ayAcR3PtboynuYUBtCt:Gt7YbN7jz3P1oynfUBM

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan upx worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

1944118448.exewinsvrupd.exe

description	pid	process	target process
PID 4020 created 2748	4020	1944118448.exe	Explorer.EXE
PID 4020 created 2748	4020	1944118448.exe	Explorer.EXE
PID 3968 created 2748	3968	winsvrupd.exe	Explorer.EXE
PID 3968 created 2748	3968	winsvrupd.exe	Explorer.EXE
PID 3968 created 2748	3968	winsvrupd.exe	Explorer.EXE

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5036-163-0x00007FF6A11C0000-0x00007FF6A19B4000-memory.dmp	xmrig
behavioral2/memory/5036-165-0x00007FF6A11C0000-0x00007FF6A19B4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

74 5036 cmd.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

318546061.exesysagrsv.exe681023501.exe499514715.exe1944118448.exewinsvrupd.exe

pid process

3008 318546061.exe
1688 sysagrsv.exe
3644 681023501.exe
632 499514715.exe
4020 1944118448.exe
3968 winsvrupd.exe

flow	pid	process
74	5036	cmd.exe

pid	process
3008	318546061.exe
1688	sysagrsv.exe
3644	681023501.exe
632	499514715.exe
4020	1944118448.exe
3968	winsvrupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5036-163-0x00007FF6A11C0000-0x00007FF6A19B4000-memory.dmp	upx
behavioral2/memory/5036-165-0x00007FF6A11C0000-0x00007FF6A19B4000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

318546061.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	318546061.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winsvrupd.exe

description pid process target process

PID 3968 set thread context of 5036 3968 winsvrupd.exe cmd.exe
Drops file in Windows directory 2 IoCs

Processes:

318546061.exe

description ioc process

File created C:\Windows\sysagrsv.exe 318546061.exe
File opened for modification C:\Windows\sysagrsv.exe 318546061.exe

description	pid	process	target process
PID 3968 set thread context of 5036	3968	winsvrupd.exe	cmd.exe

description	ioc	process
File created	C:\Windows\sysagrsv.exe	318546061.exe
File opened for modification	C:\Windows\sysagrsv.exe	318546061.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

1944118448.exepowershell.exepowershell.exewinsvrupd.exepowershell.exe

pid	process
4020	1944118448.exe
4020	1944118448.exe
1668	powershell.exe
1668	powershell.exe
4020	1944118448.exe
4020	1944118448.exe
3932	powershell.exe
3932	powershell.exe
3968	winsvrupd.exe
3968	winsvrupd.exe
1464	powershell.exe
1464	powershell.exe
3968	winsvrupd.exe
3968	winsvrupd.exe
3968	winsvrupd.exe
3968	winsvrupd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeIncreaseQuotaPrivilege	1668	powershell.exe
Token: SeSecurityPrivilege	1668	powershell.exe
Token: SeTakeOwnershipPrivilege	1668	powershell.exe
Token: SeLoadDriverPrivilege	1668	powershell.exe
Token: SeSystemProfilePrivilege	1668	powershell.exe
Token: SeSystemtimePrivilege	1668	powershell.exe
Token: SeProfSingleProcessPrivilege	1668	powershell.exe
Token: SeIncBasePriorityPrivilege	1668	powershell.exe
Token: SeCreatePagefilePrivilege	1668	powershell.exe
Token: SeBackupPrivilege	1668	powershell.exe
Token: SeRestorePrivilege	1668	powershell.exe
Token: SeShutdownPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeSystemEnvironmentPrivilege	1668	powershell.exe
Token: SeRemoteShutdownPrivilege	1668	powershell.exe
Token: SeUndockPrivilege	1668	powershell.exe
Token: SeManageVolumePrivilege	1668	powershell.exe
Token: 33	1668	powershell.exe
Token: 34	1668	powershell.exe
Token: 35	1668	powershell.exe
Token: 36	1668	powershell.exe
Token: SeIncreaseQuotaPrivilege	1668	powershell.exe
Token: SeSecurityPrivilege	1668	powershell.exe
Token: SeTakeOwnershipPrivilege	1668	powershell.exe
Token: SeLoadDriverPrivilege	1668	powershell.exe
Token: SeSystemProfilePrivilege	1668	powershell.exe
Token: SeSystemtimePrivilege	1668	powershell.exe
Token: SeProfSingleProcessPrivilege	1668	powershell.exe
Token: SeIncBasePriorityPrivilege	1668	powershell.exe
Token: SeCreatePagefilePrivilege	1668	powershell.exe
Token: SeBackupPrivilege	1668	powershell.exe
Token: SeRestorePrivilege	1668	powershell.exe
Token: SeShutdownPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeSystemEnvironmentPrivilege	1668	powershell.exe
Token: SeRemoteShutdownPrivilege	1668	powershell.exe
Token: SeUndockPrivilege	1668	powershell.exe
Token: SeManageVolumePrivilege	1668	powershell.exe
Token: 33	1668	powershell.exe
Token: 34	1668	powershell.exe
Token: 35	1668	powershell.exe
Token: 36	1668	powershell.exe
Token: SeIncreaseQuotaPrivilege	1668	powershell.exe
Token: SeSecurityPrivilege	1668	powershell.exe
Token: SeTakeOwnershipPrivilege	1668	powershell.exe
Token: SeLoadDriverPrivilege	1668	powershell.exe
Token: SeSystemProfilePrivilege	1668	powershell.exe
Token: SeSystemtimePrivilege	1668	powershell.exe
Token: SeProfSingleProcessPrivilege	1668	powershell.exe
Token: SeIncBasePriorityPrivilege	1668	powershell.exe
Token: SeCreatePagefilePrivilege	1668	powershell.exe
Token: SeBackupPrivilege	1668	powershell.exe
Token: SeRestorePrivilege	1668	powershell.exe
Token: SeShutdownPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeSystemEnvironmentPrivilege	1668	powershell.exe
Token: SeRemoteShutdownPrivilege	1668	powershell.exe
Token: SeUndockPrivilege	1668	powershell.exe
Token: SeManageVolumePrivilege	1668	powershell.exe
Token: 33	1668	powershell.exe
Token: 34	1668	powershell.exe
Token: 35	1668	powershell.exe
Token: 36	1668	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

cmd.exe

pid	process
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

cmd.exe

pid	process
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe
5036	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

tmp.exe318546061.exesysagrsv.exe681023501.exepowershell.execmd.exewinsvrupd.exe

description	pid	process	target process
PID 2288 wrote to memory of 3008	2288	tmp.exe	318546061.exe
PID 2288 wrote to memory of 3008	2288	tmp.exe	318546061.exe
PID 2288 wrote to memory of 3008	2288	tmp.exe	318546061.exe
PID 3008 wrote to memory of 1688	3008	318546061.exe	sysagrsv.exe
PID 3008 wrote to memory of 1688	3008	318546061.exe	sysagrsv.exe
PID 3008 wrote to memory of 1688	3008	318546061.exe	sysagrsv.exe
PID 1688 wrote to memory of 3644	1688	sysagrsv.exe	681023501.exe
PID 1688 wrote to memory of 3644	1688	sysagrsv.exe	681023501.exe
PID 1688 wrote to memory of 3644	1688	sysagrsv.exe	681023501.exe
PID 1688 wrote to memory of 632	1688	sysagrsv.exe	499514715.exe
PID 1688 wrote to memory of 632	1688	sysagrsv.exe	499514715.exe
PID 1688 wrote to memory of 632	1688	sysagrsv.exe	499514715.exe
PID 3644 wrote to memory of 4020	3644	681023501.exe	1944118448.exe
PID 3644 wrote to memory of 4020	3644	681023501.exe	1944118448.exe
PID 3932 wrote to memory of 3092	3932	powershell.exe	schtasks.exe
PID 3932 wrote to memory of 3092	3932	powershell.exe	schtasks.exe
PID 688 wrote to memory of 5080	688	cmd.exe	WMIC.exe
PID 688 wrote to memory of 5080	688	cmd.exe	WMIC.exe
PID 3968 wrote to memory of 5036	3968	winsvrupd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\318546061.exe
C:\Users\Admin\AppData\Local\Temp\318546061.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\sysagrsv.exe
C:\Windows\sysagrsv.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\681023501.exe
C:\Users\Admin\AppData\Local\Temp\681023501.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\1944118448.exe
C:\Users\Admin\AppData\Local\Temp\1944118448.exe
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Users\Admin\AppData\Local\Temp\499514715.exe
C:\Users\Admin\AppData\Local\Temp\499514715.exe
5⤵
- Executes dropped EXE
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwjcobfk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachine' /tr '''C:\Users\Admin\Windows Security\Update\winsvrupd.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachine' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachine" /t REG_SZ /f /d 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#boaqiqu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachine" } Else { "C:\Users\Admin\Windows Security\Update\winsvrupd.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachine
3⤵
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwjcobfk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachine' /tr '''C:\Users\Admin\Windows Security\Update\winsvrupd.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachine' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachine" /t REG_SZ /f /d 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:5080

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe dxfechzzfypoyjbf 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnovuL/XXMnmllvN0dE0MNZasUNTlydMwtsW2rj8icJseNEYIR9Mk2CrBAnQSkVd4ghuXK6zXctx/Rv1juQihv2xvWMCiOcCltF908O7Q2gnrwdkD5pEVAuSGMT8e5i6oyrq4eYUoHB2nuvdKC2X+JFQf7iSJSEOJr7GBp5A9pekMuLZ1K+sy4g4Epzwi6wbVxl8ZM8mn+7GccIbj+pVuNsDYY3GPzEsZqgcGX8v8f7JRHr2ZjrjHFfnkTA9y/qycxz5Gn7YfwXD9vtnqqY+8qFe
2⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036

C:\Users\Admin\Windows Security\Update\winsvrupd.exe
"C:\Users\Admin\Windows Security\Update\winsvrupd.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b3aad2d3704ddad60ec55ee6420a9567

SHA1
d60411503159e7d045ab4a16183d74272fa70f39

SHA256
2e430c96b04d0f12f3513d45b69d533b18521cc650a6e8e29e6c15bc09bea50f

SHA512
cf06ed025e26897e103027406b079269caace70ac81b92b63e97989a6a6403db69198a3a277c882a0e9541f27f0525c43fd2d8e3d301828ce7ad23b0616c151e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b4b6b8df15b60144120aaa8b547cffdc

SHA1
a3fccb61af44158a9506216f2212975a0af1cea3

SHA256
679e3d83bab49ad0ca3b3acb0f9c125c3930dbab0fd791f34164e25332b9d867

SHA512
c2f3c79d26ce794899ca86e4234385ddd3b1e6106fd4750d6b3777ba2456f830028862d862f666cba7a848a237fdfa6b9c672a86677f834432da6add494da178

Download Submit
C:\Users\Admin\AppData\Local\Temp\1944118448.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1944118448.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\318546061.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
C:\Users\Admin\AppData\Local\Temp\318546061.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
C:\Users\Admin\AppData\Local\Temp\499514715.exe
Filesize
6KB

MD5
193377d2d76a2da52c4935780e780ed8

SHA1
6d42df6ea3b97a2a41805a3a1e8f0a786bcd88c7

SHA256
9e6525d7e908ca4da3408723eb5c9870b04fed13f45de44566d6992e8909bb06

SHA512
c32c5f35e9b1e4967c5e6f2311457195cdde6013a9f67155b55b322134472cee803fd5099fd2bf8ca9c03e0d8287ca7b9ff9b4c8290464ab943ef18ac375536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\499514715.exe
Filesize
6KB

MD5
193377d2d76a2da52c4935780e780ed8

SHA1
6d42df6ea3b97a2a41805a3a1e8f0a786bcd88c7

SHA256
9e6525d7e908ca4da3408723eb5c9870b04fed13f45de44566d6992e8909bb06

SHA512
c32c5f35e9b1e4967c5e6f2311457195cdde6013a9f67155b55b322134472cee803fd5099fd2bf8ca9c03e0d8287ca7b9ff9b4c8290464ab943ef18ac375536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\681023501.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\681023501.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\Windows Security\Update\winsvrupd.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
cef53d7c28cc468a7cda230634a4c1dd

SHA1
147826c6b313e1274a166852a59f6ea7aff7703f

SHA256
71055501b3a9f1272add3a541ed59592033e1210ef6914422d5536c614c66b4a

SHA512
ed1d4473202f445bed306049b8184545c9857c8e45f5685257540731eb0057cf21519cd29d0db4a0dc9ad2ae4acee326f84849ba37ef54dd93ff5fbb46b13272

Download Submit
memory/632-141-0x0000000000000000-mapping.dmp

Download
memory/1464-157-0x00007FF953230000-0x00007FF953CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-158-0x00007FF953230000-0x00007FF953CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-147-0x00007FF953230000-0x00007FF953CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-146-0x000002A248C00000-0x000002A248C22000-memory.dmp

Filesize
136KB

Download
memory/1668-148-0x00007FF953230000-0x00007FF953CF1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-135-0x0000000000000000-mapping.dmp

Download
memory/3008-132-0x0000000000000000-mapping.dmp

Download
memory/3092-152-0x0000000000000000-mapping.dmp

Download
memory/3644-138-0x0000000000000000-mapping.dmp

Download
memory/3932-153-0x00007FF953230000-0x00007FF953CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-155-0x00007FF953230000-0x00007FF953CF1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-144-0x0000000000000000-mapping.dmp

Download
memory/5036-161-0x00007FF6A19B2720-mapping.dmp

Download
memory/5036-162-0x0000024904810000-0x0000024904830000-memory.dmp

Filesize
128KB

Download
memory/5036-163-0x00007FF6A11C0000-0x00007FF6A19B4000-memory.dmp

Filesize
8.0MB

Download
memory/5036-164-0x0000024904880000-0x00000249048C0000-memory.dmp

Filesize
256KB

Download
memory/5036-165-0x00007FF6A11C0000-0x00007FF6A19B4000-memory.dmp

Filesize
8.0MB

Download
memory/5036-166-0x0000024998920000-0x0000024998940000-memory.dmp

Filesize
128KB

Download
memory/5036-167-0x0000024998920000-0x0000024998940000-memory.dmp

Filesize
128KB

Download
memory/5080-159-0x0000000000000000-mapping.dmp

Download