Analysis Overview
SHA256
c94750f87bb70c03a496307e6a67aedc4d7c12a827c01dd10166a3d0ba4d8fc7
Threat Level: Likely malicious
The file Protected.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Sets service image path in registry
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Hide Artifacts: Hidden Files and Directories
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Runs net.exe
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies system certificate store
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-23 18:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-23 18:15
Reported
2024-09-23 18:18
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Protected.exe
"C:\Users\Admin\AppData\Local\Temp\Protected.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
Files
memory/2372-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/2372-1-0x0000000000C00000-0x0000000000FFC000-memory.dmp
memory/2372-2-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2372-3-0x0000000006290000-0x000000000664A000-memory.dmp
memory/2372-4-0x0000000006650000-0x0000000006864000-memory.dmp
memory/2372-5-0x00000000071F0000-0x00000000073AA000-memory.dmp
memory/2372-6-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2372-7-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/2372-8-0x0000000074CA0000-0x000000007538E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-23 18:15
Reported
2024-09-23 18:18
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Downloads MZ/PE file
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dinxTKjgRXXvTNFzqJZIt\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dinxTKjgRXXvTNFzqJZIt" | C:\Windows\windows32\Mapper.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\windows32\Mapper.exe | N/A |
| N/A | N/A | C:\Windows\windows32\TPM.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\windows32\Mapper.exe | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| File created | C:\Windows\windows32\TPM.sys | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| File created | C:\Windows\windows32\first.bat | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| File created | C:\Windows\windows32\TPM.exe | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\windows32\TPM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\windows32\Mapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Protected.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\windows32\Mapper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Protected.exe
"C:\Users\Admin\AppData\Local\Temp\Protected.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\windows32\first.bat" "
C:\Windows\windows32\Mapper.exe
Mapper.exe TPM.sys
C:\Windows\windows32\TPM.exe
TPM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6141.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp6141.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat "C:\Windows\windows32\TPM.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Welcome to ' -NoNewline; Write-Host 'MASKIFY / MIRAI SERVICES' -ForegroundColor Cyan"
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Clear-Tpm"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Disable-TpmAutoProvisioning"
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.123.112.45.in-addr.arpa | udp |
Files
memory/3880-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp
memory/3880-1-0x0000000000810000-0x0000000000C0C000-memory.dmp
memory/3880-2-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/3880-3-0x0000000005A90000-0x0000000006034000-memory.dmp
memory/3880-4-0x00000000054E0000-0x0000000005572000-memory.dmp
memory/3880-5-0x00000000054C0000-0x00000000054CA000-memory.dmp
memory/3880-6-0x0000000006040000-0x00000000063FA000-memory.dmp
memory/3880-7-0x0000000007650000-0x0000000007864000-memory.dmp
memory/3880-8-0x0000000008870000-0x0000000008A2A000-memory.dmp
memory/3880-9-0x0000000009FE0000-0x000000000A046000-memory.dmp
memory/3880-10-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/3880-11-0x0000000074EDE000-0x0000000074EDF000-memory.dmp
memory/3880-12-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/3880-13-0x00000000013A0000-0x00000000013B2000-memory.dmp
memory/3880-15-0x000000000B1C0000-0x000000000B1FC000-memory.dmp
memory/3880-18-0x000000000B200000-0x000000000B2FA000-memory.dmp
memory/3880-19-0x000000000B3C0000-0x000000000B3F4000-memory.dmp
memory/3880-20-0x000000000B870000-0x000000000B902000-memory.dmp
memory/3880-21-0x000000000B910000-0x000000000B91A000-memory.dmp
memory/3880-22-0x0000000074ED0000-0x0000000075680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\serials.txt
| MD5 | 7c26b38c596bf380c52afeaa5a5697f5 |
| SHA1 | 8ccc5992b9b3aa2d3cb46bffca347cf3a75fd264 |
| SHA256 | 607e92a1d0875fbe231bc5d9c8a5d3df466c18288466de35a1e8cea083b9481c |
| SHA512 | 87ebf005990d153d7f38ebc63ca9fddd40f3ac5f6a227896b55baef5df2789b97dfd01b380a0ba878544f0de765ff076d0e9a6b1ea1ac65eab4f04a261bdcad7 |
memory/3880-28-0x0000000074ED0000-0x0000000075680000-memory.dmp
C:\Windows\windows32\first.bat
| MD5 | fc80bcba34c7b5c52ad16112bdcf02f1 |
| SHA1 | e6e75e60058cba6bb0b17b6dbabc00c2001383e3 |
| SHA256 | 257adc7a94446e06205da6cb489400ad3c5475a5c2a621ae6dce1c74fcde7308 |
| SHA512 | df2612901f3ec6b335a3ad9ed765cd752488b95c066f399ffa9b6febe4dd94ef88a0d846af933758c49ae06d1d578fe6a8fd54998d764f098c12ba4fe99244d8 |
C:\Windows\windows32\Mapper.exe
| MD5 | 284396aa4d663e010b4ecee9ddf90269 |
| SHA1 | 1746d269a0c3f2fb2b75750a732c8339f0cfbfe9 |
| SHA256 | 2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb |
| SHA512 | bd9466f00e71b5787bddaf410b71b04af37a7ca60deff6550df344af8dcae5d3ad138e8371dabd3003e3f6e92b92ce457ffa1d83134bf3f68fb2bd090903f062 |
C:\Windows\windows32\TPM.exe
| MD5 | 141f8f2f5ed209f266ea76ff007e5c48 |
| SHA1 | 0e9ce868c3c374b9739fb8e76aad9929db232e2a |
| SHA256 | a95488c430d9d8d9003dd789dfcb3464f9c6a35fba6867a4333295c7e5d079d2 |
| SHA512 | 7bba64202d96c8a449f47e3030a75978b250fd0e0d1dd01f9d5a9d67526bdbbec3a36ba169808e3291f9c1e7bd89f352d3d33632ba959385f833bffe8eddc22e |
C:\Users\Admin\AppData\Local\Temp\ytmp\tmp5592.bat
| MD5 | d6ccd466a92b78feb9b09ec3325aad98 |
| SHA1 | 7b9bd1e5e92f89a21309c5939549b19f9e457960 |
| SHA256 | 8deeea9397a9fe75c58f589dde72f677274985ae1fcf0f37c6e1787ddc1ada3e |
| SHA512 | 02874936cff5eba51aac38543874770f1d2e55b2e93f934c368523e51bbedab37331fb25d83b6ad1d80fa9a732e02b4d9da0b63c472070675a8ea4031e89967a |
memory/1848-47-0x0000000002E00000-0x0000000002E36000-memory.dmp
memory/1848-48-0x0000000005950000-0x0000000005F78000-memory.dmp
memory/1848-50-0x0000000006020000-0x0000000006086000-memory.dmp
memory/1848-49-0x0000000005F80000-0x0000000005FA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amd0pq1f.xn1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1848-60-0x0000000006330000-0x0000000006684000-memory.dmp
memory/1848-61-0x0000000006710000-0x000000000672E000-memory.dmp
memory/1848-62-0x0000000006750000-0x000000000679C000-memory.dmp
memory/1848-63-0x0000000007D90000-0x000000000840A000-memory.dmp
memory/1848-64-0x0000000006C30000-0x0000000006C4A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
memory/4856-77-0x0000000005860000-0x0000000005BB4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d913ae477dc018af41b7df122b2f7d7 |
| SHA1 | 97fe2f10a20dc1584da328ab51aac3172ebf3cd3 |
| SHA256 | 230d927dd2b7f7838577f53b5df07d650c24896b0e40a945e518ee3a0c6e0fe1 |
| SHA512 | a4bebfcc37abfefd335222810de3c37f94e33d855de920b75b632c61a888428e7bfd16c3be9c7b08abbf5fcfd62c7e1893d7b33680395fda1e3f7c6b9b710fe9 |
memory/4856-79-0x0000000006E50000-0x0000000006E82000-memory.dmp
memory/4856-80-0x000000006EC90000-0x000000006ECDC000-memory.dmp
memory/4856-90-0x0000000006E90000-0x0000000006EAE000-memory.dmp
memory/4856-91-0x0000000007170000-0x0000000007213000-memory.dmp
memory/4856-92-0x0000000007280000-0x000000000728A000-memory.dmp
memory/4856-93-0x0000000007470000-0x0000000007506000-memory.dmp
memory/4856-94-0x0000000005D00000-0x0000000005D11000-memory.dmp
memory/4856-95-0x0000000005D40000-0x0000000005D4E000-memory.dmp
memory/4856-96-0x00000000073D0000-0x00000000073E4000-memory.dmp
memory/4856-97-0x0000000007410000-0x0000000007420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6cf4fd7d69d1c036fbf6205012928762 |
| SHA1 | b431013ef845ffaff22f572b0a2aac999efa0dbb |
| SHA256 | 1c7b686bb0c36b6a04ad5a2548831de9747914222a5f1d90abeccbd2afcd1c26 |
| SHA512 | 257cf7ea8a73a6e5355d841f8e301c63797a6256423c9fa46973c2b032ae3055708adcc94d52bd38fcfacc33d50fa16f3377a58cb2b7451d10288170aa224e73 |
memory/1764-109-0x000000006EC90000-0x000000006ECDC000-memory.dmp