phorphiex | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
599s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3BiS1jaRpWtkqtfZGp9f1rXXts5DyUkaBX

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
dgh345rew
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00030000000226ca-10.dat	family_phorphiex
behavioral1/files/0x000700000002363f-89.dat	family_phorphiex
behavioral1/files/0x0003000000023274-143.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syschvard.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4276	powershell.exe
1624	powershell.exe
4832	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	syschvard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	syschvard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sysarddrvs.exe

Executes dropped EXE 19 IoCs

pid	Process
4908	11.exe
2328	sysarddrvs.exe
4748	66cf535e3dcf9_BitcoinCore.exe
3144	o.exe
3584	sysmablsvr.exe
3560	pp.exe
4020	pei.exe
2836	m.exe
2052	237975868.exe
4928	syschvard.exe
1104	979523511.exe
2416	1594930747.exe
4492	newtpp.exe
984	tt.exe
948	tpeinf.exe
2412	3005114408.exe
4800	228329871.exe
2796	1669915574.exe
2456	syschvard.exe

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syschvard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syschvard.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syschvard.exe"	237975868.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syschvard.exe"	1669915574.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe
File created	C:\Windows\sysmablsvr.exe	o.exe
File opened for modification	C:\Windows\sysmablsvr.exe	o.exe
File created	C:\Windows\syschvard.exe	237975868.exe
File opened for modification	C:\Windows\syschvard.exe	237975868.exe
File created	C:\Windows\syschvard.exe	1669915574.exe
File created	C:\Windows\sysarddrvs.exe	11.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4792	sc.exe
4756	sc.exe
3620	sc.exe
4456	sc.exe
4948	sc.exe
2044	sc.exe
1628	sc.exe
1660	sc.exe
3084	sc.exe
2388	sc.exe
2112	sc.exe
4384	sc.exe
4208	sc.exe
1184	sc.exe
4300	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpeinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3005114408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1669915574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syschvard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	228329871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1594930747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	237975868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syschvard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	979523511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
4832	powershell.exe
4832	powershell.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
3584	sysmablsvr.exe
4928	syschvard.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	4363463463464363463463463.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4908	4500	4363463463464363463463463.exe	103
PID 4500 wrote to memory of 4908	4500	4363463463464363463463463.exe	103
PID 4500 wrote to memory of 4908	4500	4363463463464363463463463.exe	103
PID 4908 wrote to memory of 2328	4908	11.exe	104
PID 4908 wrote to memory of 2328	4908	11.exe	104
PID 4908 wrote to memory of 2328	4908	11.exe	104
PID 2328 wrote to memory of 720	2328	sysarddrvs.exe	105
PID 2328 wrote to memory of 720	2328	sysarddrvs.exe	105
PID 2328 wrote to memory of 720	2328	sysarddrvs.exe	105
PID 2328 wrote to memory of 2992	2328	sysarddrvs.exe	107
PID 2328 wrote to memory of 2992	2328	sysarddrvs.exe	107
PID 2328 wrote to memory of 2992	2328	sysarddrvs.exe	107
PID 720 wrote to memory of 4276	720	cmd.exe	109
PID 720 wrote to memory of 4276	720	cmd.exe	109
PID 720 wrote to memory of 4276	720	cmd.exe	109
PID 2992 wrote to memory of 4456	2992	cmd.exe	110
PID 2992 wrote to memory of 4456	2992	cmd.exe	110
PID 2992 wrote to memory of 4456	2992	cmd.exe	110
PID 2992 wrote to memory of 4384	2992	cmd.exe	111
PID 2992 wrote to memory of 4384	2992	cmd.exe	111
PID 2992 wrote to memory of 4384	2992	cmd.exe	111
PID 2992 wrote to memory of 4208	2992	cmd.exe	112
PID 2992 wrote to memory of 4208	2992	cmd.exe	112
PID 2992 wrote to memory of 4208	2992	cmd.exe	112
PID 2992 wrote to memory of 1660	2992	cmd.exe	113
PID 2992 wrote to memory of 1660	2992	cmd.exe	113
PID 2992 wrote to memory of 1660	2992	cmd.exe	113
PID 2992 wrote to memory of 4948	2992	cmd.exe	114
PID 2992 wrote to memory of 4948	2992	cmd.exe	114
PID 2992 wrote to memory of 4948	2992	cmd.exe	114
PID 4500 wrote to memory of 4748	4500	4363463463464363463463463.exe	116
PID 4500 wrote to memory of 4748	4500	4363463463464363463463463.exe	116
PID 4500 wrote to memory of 3144	4500	4363463463464363463463463.exe	117
PID 4500 wrote to memory of 3144	4500	4363463463464363463463463.exe	117
PID 4500 wrote to memory of 3144	4500	4363463463464363463463463.exe	117
PID 3144 wrote to memory of 3584	3144	o.exe	118
PID 3144 wrote to memory of 3584	3144	o.exe	118
PID 3144 wrote to memory of 3584	3144	o.exe	118
PID 4500 wrote to memory of 3560	4500	4363463463464363463463463.exe	120
PID 4500 wrote to memory of 3560	4500	4363463463464363463463463.exe	120
PID 4500 wrote to memory of 3560	4500	4363463463464363463463463.exe	120
PID 4500 wrote to memory of 4020	4500	4363463463464363463463463.exe	121
PID 4500 wrote to memory of 4020	4500	4363463463464363463463463.exe	121
PID 4500 wrote to memory of 4020	4500	4363463463464363463463463.exe	121
PID 4500 wrote to memory of 2836	4500	4363463463464363463463463.exe	122
PID 4500 wrote to memory of 2836	4500	4363463463464363463463463.exe	122
PID 4500 wrote to memory of 2836	4500	4363463463464363463463463.exe	122
PID 4020 wrote to memory of 2052	4020	pei.exe	123
PID 4020 wrote to memory of 2052	4020	pei.exe	123
PID 4020 wrote to memory of 2052	4020	pei.exe	123
PID 2052 wrote to memory of 4928	2052	237975868.exe	124
PID 2052 wrote to memory of 4928	2052	237975868.exe	124
PID 2052 wrote to memory of 4928	2052	237975868.exe	124
PID 4928 wrote to memory of 4364	4928	syschvard.exe	125
PID 4928 wrote to memory of 4364	4928	syschvard.exe	125
PID 4928 wrote to memory of 4364	4928	syschvard.exe	125
PID 4928 wrote to memory of 4892	4928	syschvard.exe	127
PID 4928 wrote to memory of 4892	4928	syschvard.exe	127
PID 4928 wrote to memory of 4892	4928	syschvard.exe	127
PID 4364 wrote to memory of 1624	4364	cmd.exe	129
PID 4364 wrote to memory of 1624	4364	cmd.exe	129
PID 4364 wrote to memory of 1624	4364	cmd.exe	129
PID 4892 wrote to memory of 4792	4892	cmd.exe	130
PID 4892 wrote to memory of 4792	4892	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\Files\11.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\sysarddrvs.exe
    C:\Windows\sysarddrvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4456
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4384
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4208
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\979523511.exe
      C:\Users\Admin\AppData\Local\Temp\979523511.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1104
- C:\Users\Admin\AppData\Local\Temp\Files\66cf535e3dcf9_BitcoinCore.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\66cf535e3dcf9_BitcoinCore.exe"
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\Files\o.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\sysmablsvr.exe
    C:\Windows\sysmablsvr.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\228329871.exe
      C:\Users\Admin\AppData\Local\Temp\228329871.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4800
- C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\237975868.exe
    C:\Users\Admin\AppData\Local\Temp\237975868.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\syschvard.exe
      C:\Windows\syschvard.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4792
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3084
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4756
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\1594930747.exe
        
        C:\Users\Admin\AppData\Local\Temp\1594930747.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\1669915574.exe
        
        C:\Users\Admin\AppData\Local\Temp\1669915574.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Users\Admin\syschvard.exe
        
        C:\Users\Admin\syschvard.exe
        6⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4300
- C:\Users\Admin\AppData\Local\Temp\Files\m.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:984
- C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\3005114408.exe
    C:\Users\Admin\AppData\Local\Temp\3005114408.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4476,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
676ed3239bb2efeebba2ce9c3c466b52

SHA1
f5d61f4dcd675a27499835ccf6d74352d610f499

SHA256
caf82f9d2703fa53e96151c0ee3a8a75545f0d6ebbc093ce701b35a0ab05d764

SHA512
7136929700eda2d037f95faa59f3d8fca3876fe6e3d3d682cbe389bbbc56539103ff40d39dc45d4ef0b0b07d3d074353bd8c5b98e86d49f5be330e9c0fe01cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
caaa4e52ee6e0aad04600f22704b1165

SHA1
2a52ec7d2513f458deebd3ee38f1701012d44acc

SHA256
78d6fb31fbaf09a38be5768f4483e2542e0e7810839215fef2dd189eca97378d

SHA512
3061ec3e3df2c46b2ebae2340c6922c4de9c8ef9b19e6cb084f09354366f804c55dc78ab2bb3e105f45e701a7c1dbc0672f23eee2afb5a74787a5ce65ef319a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1594930747.exe

Filesize
10KB

MD5
3490e23fa115eac57786457db1337bee

SHA1
53ebab3f28db0638590173b0e5a95387ba077a88

SHA256
238e208ff8df460dcc960f6089270f7faaff33487adea317c827104f44e6b415

SHA512
6aa5e5554f8936f1a4cf524ed1b8de0e54640205b64285d4045f229835eae613834673f2faa51aaa9cc2553027c7dacf932436d502a871bae4a31a5e2f6f2451

Download Submit
C:\Users\Admin\AppData\Local\Temp\237975868.exe

Filesize
84KB

MD5
aa63b9c3f01d3d50c77b06c75dd63f88

SHA1
e67b74385a1d67ec57f5bb3a40184ee23b251eb4

SHA256
dcc51ea4252198d176b3249339675d2ea54759d1fb9aab487bc69f56f7ba2ac1

SHA512
0e0445f3158b9501d73d201a64556dfb3db7e513bd2fc32e6b5024d7641ace63679068abdc18a19346a1338a7007ee413ce7861ad09b8db5fb40eef5ec60fda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\979523511.exe

Filesize
10KB

MD5
dd4cf1ac2e0fc375ee8b03fd8eb295c8

SHA1
0f00590a3be2e22dae8aaaa7391eeb485d45255e

SHA256
b04e8d007b3086fab051ae35b11fe16541f0fd4c8e4c2940a35f554ce827c3a4

SHA512
cf5b111ce7c9dc45b05994522ce2699d0e8a28fc6d5acdaacfe1f66e5a2b36b9f611a82952a54465702529563c8b5757cfc5625c23635a4005c75e30d691219b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\66cf535e3dcf9_BitcoinCore.exe

Filesize
8.3MB

MD5
b7a66864aedc3fa7a4686498eaf2b251

SHA1
045154b73c8c25e29c5db10d297d44e5371af940

SHA256
d51fbbda89b717b798dc784dbe3eb4aa151e9ef095c054e19368698fe923317e

SHA512
f1ffab89f395247c69121fe3a700798c8cd5a9af94f33674995642471160f428c2931fa86c6686558ba75e0d6a20131854b987790160cae19a533a7f40862957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\o.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe

Filesize
6KB

MD5
cfb7fbf1d4b077a0e74ed6e9aab650a8

SHA1
a91cfbcc9e67e8f4891dde04e7d003fc63b7d977

SHA256
d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0

SHA512
b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ge2bvya.a5a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\tbtcmds.dat

Filesize
285B

MD5
af71fb92892fe37aa906f0d48e4f8b4d

SHA1
1feecb0f39cbe1f56e7d5ad7e324fdc2995c630b

SHA256
dd9defbb2742d48497b4bfa60d60164795a325c639e19472cd3a1d83b88a80cd

SHA512
e0940bc407b299111cb32166303accfd900fbf4e227965fa69c54f46315567e07c286b9d348dc2bbdd594b7fd56bf52e5d0c758a31bdd8bacb1afdecb81dbac7

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
eee5858a682c4f16d61458e135d95853

SHA1
5512676bcc88f701107d5008a14483abf4bf7e34

SHA256
dc130b4e51508fe89b2c9d1f1a70867686c8d4f047e603c40e841ed12a320944

SHA512
7bf3f93fc7d497d0281c4f3ac8a1aa6767db07d090b9d8bfe646869bf4bc790b40196415b2f882d1f6f200c885ddfffda5bd68bd2612c3f4ed21ce06488465e5

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b02e31af66f86c9dba0d348eb4ba2fe0

SHA1
32a0df31e00166324c0d5558f5ae0134c273da22

SHA256
f21953d6a4e6d61360ee433f8110d611d35109b619c634a6a55c853812d250ff

SHA512
ea37b9223752aabdb51b52c9f0f6fe5b192974feb8fa4587d6a117830afb5c073d58d8ba887667e59c1d213257d3b1abff9f2efeaac32bc84ce6dda1be23d14a

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
a49a395fd6d977ca64a39511474cfb1d

SHA1
94c53acaebd5aede6cb760fb863d1a878e785c7c

SHA256
c6332cfa985cd393ef94392abefac8ab4ee64ecb7edca65c1506999a54a525a0

SHA512
ddd2c46a9f29dff337b8454360c711840d154fe82723c2578951fdfc01be00899323027028d7ae8e2caf143f0bac6ac768926b4f3a1ba7b20ab6ee0309421443

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
8809dc7d71d4a6cc92bd7d25f964652a

SHA1
d4a551ac5be0b1b706b3818584353404bb91a48f

SHA256
22da829c1077b946f9738fb16fd00884708ae0f1c00b401108e270125b47638a

SHA512
0b561c2cfe025d34efd99d9689c9030e50ee7d91790f552f3c51c79f0188d08d7a652f368a6f03e5f50e65bea8dc94a2752ab0b6c7b16f146715f094c162460b

Download Submit
memory/1624-168-0x000000006F0B0000-0x000000006F0FC000-memory.dmp

Filesize
304KB

Download
memory/4276-36-0x0000000006360000-0x0000000006392000-memory.dmp

Filesize
200KB

Download
memory/4276-21-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

Filesize
136KB

Download
memory/4276-49-0x0000000007750000-0x0000000007DCA000-memory.dmp

Filesize
6.5MB

Download
memory/4276-50-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/4276-51-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/4276-52-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/4276-53-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/4276-54-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/4276-55-0x0000000007300000-0x0000000007314000-memory.dmp

Filesize
80KB

Download
memory/4276-56-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/4276-57-0x00000000073D0000-0x00000000073D8000-memory.dmp

Filesize
32KB

Download
memory/4276-47-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/4276-35-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/4276-33-0x0000000005900000-0x0000000005C54000-memory.dmp

Filesize
3.3MB

Download
memory/4276-48-0x0000000006FA0000-0x0000000007043000-memory.dmp

Filesize
652KB

Download
memory/4276-23-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4276-37-0x000000006F0B0000-0x000000006F0FC000-memory.dmp

Filesize
304KB

Download
memory/4276-19-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/4276-20-0x0000000004FF0000-0x0000000005618000-memory.dmp

Filesize
6.2MB

Download
memory/4276-34-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4276-22-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/4500-5-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4500-4-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/4500-3-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4500-2-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/4500-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/4500-1-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/4748-105-0x0000000000400000-0x0000000000C6B000-memory.dmp

Filesize
8.4MB

Download
memory/4748-83-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-107-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-93-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-77-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-78-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-79-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-210-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-81-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-150-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-84-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-71-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-82-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4748-80-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4832-294-0x000000006F0A0000-0x000000006F0EC000-memory.dmp

Filesize
304KB

Download
memory/4832-304-0x0000000006DD0000-0x0000000006E73000-memory.dmp

Filesize
652KB

Download
memory/4832-305-0x0000000007060000-0x0000000007071000-memory.dmp

Filesize
68KB

Download
memory/4832-306-0x00000000070A0000-0x00000000070B4000-memory.dmp

Filesize
80KB

Download
memory/4832-293-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/4832-291-0x00000000054B0000-0x0000000005804000-memory.dmp

Filesize
3.3MB

Download