phorphiex | 84ad8981730bc90d066598f9d840998261265c043d19f5514108d725889538cb

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe
Size

396KB
MD5

b4c13f6033d5a75654e5d8836918cc65
SHA1

7344a966ad1239698a9bf6615eb4dea25f49d934
SHA256

84ad8981730bc90d066598f9d840998261265c043d19f5514108d725889538cb
SHA512

43c4e712a86734c40a0bfcbaf21e1731941de4a959f48e9babbc8ee967e8130556079687e61adb4ab44475ac63e70ec8e0601ac5926c87d66553e18797d562be
SSDEEP

6144:cFb35BvvhYO7u1wq5e1WnLWXw8iIXjsI7iB/zYO+ARmi0yqCH:mFBnZq5e1WnuV8zR+fig

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\788511091.exe	family_phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

1035626155.exewupgrdsv.exe

description	pid	process	target process
PID 2112 created 3452	2112	1035626155.exe	Explorer.EXE
PID 2112 created 3452	2112	1035626155.exe	Explorer.EXE
PID 4544 created 3452	4544	wupgrdsv.exe	Explorer.EXE
PID 4544 created 3452	4544	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

788511091.exe101795949.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	788511091.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4544-102-0x00007FF7BB9D0000-0x00007FF7BBF46000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

5350.exe101795949.exe788511091.exe333802613.exe28331325.exe319893277.exe1035626155.exewupgrdsv.exe

pid process

644 5350.exe
3288 101795949.exe
4112 788511091.exe
2128 333802613.exe
1096 28331325.exe
2612 319893277.exe
2112 1035626155.exe
4544 wupgrdsv.exe

pid	process
644	5350.exe
3288	101795949.exe
4112	788511091.exe
2128	333802613.exe
1096	28331325.exe
2612	319893277.exe
2112	1035626155.exe
4544	wupgrdsv.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

788511091.exe101795949.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	788511091.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	101795949.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	101795949.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

101795949.exe788511091.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe"	101795949.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe"	101795949.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winknavrso.exe"	788511091.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winknavrso.exe"	788511091.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 4544 set thread context of 1036 4544 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 4544 set thread context of 1036	4544	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 4 IoCs

Processes:

101795949.exe788511091.exe

description	ioc	process
File created	C:\Windows\sysdinrdvs.exe	101795949.exe
File opened for modification	C:\Windows\sysdinrdvs.exe	101795949.exe
File created	C:\Windows\winknavrso.exe	788511091.exe
File opened for modification	C:\Windows\winknavrso.exe	788511091.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

1035626155.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
2112	1035626155.exe
2112	1035626155.exe
2212	powershell.exe
2212	powershell.exe
2112	1035626155.exe
2112	1035626155.exe
4544	wupgrdsv.exe
4544	wupgrdsv.exe
3772	powershell.exe
3772	powershell.exe
4544	wupgrdsv.exe
4544	wupgrdsv.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

788511091.exe

pid process

4112 788511091.exe

pid	process
4112	788511091.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe5350.exe101795949.exe319893277.exewupgrdsv.exe

description	pid	process	target process
PID 560 wrote to memory of 644	560	2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe	5350.exe
PID 560 wrote to memory of 644	560	2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe	5350.exe
PID 560 wrote to memory of 644	560	2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe	5350.exe
PID 644 wrote to memory of 3288	644	5350.exe	101795949.exe
PID 644 wrote to memory of 3288	644	5350.exe	101795949.exe
PID 644 wrote to memory of 3288	644	5350.exe	101795949.exe
PID 3288 wrote to memory of 4112	3288	101795949.exe	788511091.exe
PID 3288 wrote to memory of 4112	3288	101795949.exe	788511091.exe
PID 3288 wrote to memory of 4112	3288	101795949.exe	788511091.exe
PID 3288 wrote to memory of 2128	3288	101795949.exe	333802613.exe
PID 3288 wrote to memory of 2128	3288	101795949.exe	333802613.exe
PID 3288 wrote to memory of 2128	3288	101795949.exe	333802613.exe
PID 3288 wrote to memory of 1096	3288	101795949.exe	28331325.exe
PID 3288 wrote to memory of 1096	3288	101795949.exe	28331325.exe
PID 3288 wrote to memory of 1096	3288	101795949.exe	28331325.exe
PID 3288 wrote to memory of 2612	3288	101795949.exe	319893277.exe
PID 3288 wrote to memory of 2612	3288	101795949.exe	319893277.exe
PID 3288 wrote to memory of 2612	3288	101795949.exe	319893277.exe
PID 2612 wrote to memory of 2112	2612	319893277.exe	1035626155.exe
PID 2612 wrote to memory of 2112	2612	319893277.exe	1035626155.exe
PID 4544 wrote to memory of 1036	4544	wupgrdsv.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-30_b4c13f6033d5a75654e5d8836918cc65_ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\5350.exe
"C:\Users\Admin\AppData\Local\Temp\5350.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\101795949.exe
C:\Users\Admin\AppData\Local\Temp\101795949.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\788511091.exe
C:\Users\Admin\AppData\Local\Temp\788511091.exe
5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:4112

C:\Users\Admin\AppData\Local\Temp\333802613.exe
C:\Users\Admin\AppData\Local\Temp\333802613.exe
5⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\28331325.exe
C:\Users\Admin\AppData\Local\Temp\28331325.exe
5⤵
- Executes dropped EXE
PID:1096

C:\Users\Admin\AppData\Local\Temp\319893277.exe
C:\Users\Admin\AppData\Local\Temp\319893277.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\1035626155.exe
C:\Users\Admin\AppData\Local\Temp\1035626155.exe
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
PID:1036

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
c95fe14a860e918a98d24f0f368b1c43

SHA1
69c8cdb324ffa35c638a9ca9e4231375af22a380

SHA256
b611743d7be3e9f89db1d97a71ed2ee2efcc02df0d824078ff7be6f78a0bb7f3

SHA512
6e8dcf392ebdab756016c82db7aa3bd920b26eb18b049d4d2980101bc34bf2d096003168c9853997e1d0683575668050c485acacf1fce8cb6054e8fc018b7fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7c454230042e04cd56c7fc216097e843

SHA1
e18b3635dbb875ddde49a995fe6dd2d66828bdd8

SHA256
ca55d5279641c69846bc7d426091c7c0812317e36871d36ada6a6aa7749787c1

SHA512
3c897e5b3071287d456ff2f832017b7001b50a463173e0e44c5bed9921e8b8f1e3f1169a910ee177f3674ae94f87e5f32700cc25b320b936264bde6967fa7897

Download Submit
C:\Users\Admin\AppData\Local\Temp\101795949.exe
Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Users\Admin\AppData\Local\Temp\1035626155.exe
Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\28331325.exe
Filesize
21KB

MD5
fbfed7e78bd7500305b4f5aa3be7faf7

SHA1
725efabc569850d85e14ab2f32ce2f334449b05e

SHA256
259c1a878ba150f7e5be9b2884add3ea92a254ddfcc7b7ddbb0bf6d1bf30a500

SHA512
6dd4f49db3cf03c4723fa8c62446875738f53266d3ea5ba9462451ecf94224374b761a547fa68ff2ea2b1054cb0176cd8f5fd458101f3f0f25c0d4f0a76bb757

Download Submit
C:\Users\Admin\AppData\Local\Temp\319893277.exe
Filesize
6KB

MD5
0d539e8277f20391a31babff8714fdb0

SHA1
a4e63870aa5fd258dde4f02be70732c27f556fa9

SHA256
669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

SHA512
700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\333802613.exe
Filesize
84KB

MD5
41d55c23d79fc0c0c322db16c6ce6af8

SHA1
e4bbdf2a983a11975a7ab6dcba41cb60676ec780

SHA256
93f3f99a6d6dc69b907a3da8596bd850c1e3ce53be9bf1c6edfdb00e90579e6f

SHA512
06680eb47802659dc2e28cd9a839052a8536112056db49f7179f1b53cf2dba0e9cfd9d8bbdeb446ecb8a2f4a58f7b0f100d0526660d4afd8540a4db091cf621f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5350.exe
Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\788511091.exe
Filesize
23KB

MD5
9d2b22562b9a3958dfd7e6e6fa7bd66f

SHA1
1941c24958ac09cf518f4124225b2d0b5d874cf0

SHA256
84daa9d52f759af343741880a3b66a3abb886310de7f552743d99e69741c6450

SHA512
8c0b54e01f62207edaaf8f967fe83eacd3e278660c1764feb3fde68bfd376ba875012849f969d8b5922bd6b791a231bf75dc76eade227e2fd25f4791163d9dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1enrirx.j3a.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1036-104-0x000001C9DF8E0000-0x000001C9DF900000-memory.dmp

Filesize
128KB

Download
memory/1036-103-0x000001C9DF8B0000-0x000001C9DF8D0000-memory.dmp

Filesize
128KB

Download
memory/2112-82-0x00007FF6CAA40000-0x00007FF6CAFB6000-memory.dmp

Filesize
5.5MB

Download
memory/2212-75-0x0000018FBE080000-0x0000018FBE090000-memory.dmp

Filesize
64KB

Download
memory/2212-79-0x00007FFB09680000-0x00007FFB0A141000-memory.dmp

Filesize
10.8MB

Download
memory/2212-76-0x0000018FBE080000-0x0000018FBE090000-memory.dmp

Filesize
64KB

Download
memory/2212-74-0x0000018FBE080000-0x0000018FBE090000-memory.dmp

Filesize
64KB

Download
memory/2212-73-0x0000018FBE080000-0x0000018FBE090000-memory.dmp

Filesize
64KB

Download
memory/2212-71-0x0000018FD86A0000-0x0000018FD86C2000-memory.dmp

Filesize
136KB

Download
memory/2212-72-0x00007FFB09680000-0x00007FFB0A141000-memory.dmp

Filesize
10.8MB

Download
memory/3772-85-0x00007FFB09680000-0x00007FFB0A141000-memory.dmp

Filesize
10.8MB

Download
memory/3772-92-0x000001C524330000-0x000001C524340000-memory.dmp

Filesize
64KB

Download
memory/3772-97-0x000001C524330000-0x000001C524340000-memory.dmp

Filesize
64KB

Download
memory/3772-99-0x00007FFB09680000-0x00007FFB0A141000-memory.dmp

Filesize
10.8MB

Download
memory/4544-102-0x00007FF7BB9D0000-0x00007FF7BBF46000-memory.dmp

Filesize
5.5MB

Download