Analysis Overview
SHA256
79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046
Threat Level: Known bad
The file 79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046 was found to be: Known bad.
Malicious Activity Summary
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
Phorphiex family
Phorphiex payload
Xmrig family
xmrig
XMRig Miner payload
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 22:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 22:37
Reported
2024-11-16 22:40
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1436 created 1124 | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | C:\Windows\Explorer.EXE |
| PID 1436 created 1124 | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | C:\Windows\Explorer.EXE |
| PID 2828 created 1124 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 2828 created 1124 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 2828 created 1124 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9E2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\673518148.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\185484754.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2354925334.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1763513759.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\226361571.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9E2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9E2.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1763513759.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\673518148.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2828 set thread context of 2404 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 2828 set thread context of 2672 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\673518148.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\673518148.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E9E2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\673518148.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1763513759.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\185484754.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1079436413.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\185484754.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\dwm.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe"
C:\Users\Admin\AppData\Local\Temp\E9E2.exe
"C:\Users\Admin\AppData\Local\Temp\E9E2.exe"
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe" --channel=2668.0.672440583 --type=renderer
C:\Users\Admin\AppData\Local\Temp\673518148.exe
C:\Users\Admin\AppData\Local\Temp\673518148.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\185484754.exe
C:\Users\Admin\AppData\Local\Temp\185484754.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\2354925334.exe
C:\Users\Admin\AppData\Local\Temp\2354925334.exe
C:\Users\Admin\AppData\Local\Temp\1763513759.exe
C:\Users\Admin\AppData\Local\Temp\1763513759.exe
C:\Users\Admin\AppData\Local\Temp\226361571.exe
C:\Users\Admin\AppData\Local\Temp\226361571.exe
C:\Users\Admin\AppData\Local\Temp\1079436413.exe
C:\Users\Admin\AppData\Local\Temp\1079436413.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Windows\system32\taskeng.exe
taskeng.exe {DC0AFAA6-26D5-41DD-A2FB-14A39E165F6A} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| KZ | 95.59.61.132:40500 | udp | |
| IR | 2.177.144.169:40500 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| UZ | 89.249.62.94:40500 | udp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| IR | 89.144.152.186:40500 | udp | |
| KZ | 5.251.234.88:40500 | udp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| IR | 77.81.130.60:40500 | udp | |
| UZ | 217.30.162.244:40500 | udp | |
| RU | 37.21.26.152:40500 | tcp | |
| RU | 176.214.150.127:40500 | udp | |
| IR | 2.191.88.20:40500 | udp | |
| UA | 93.175.220.40:40500 | udp | |
| KZ | 109.239.42.219:40500 | udp | |
| IR | 89.43.216.137:40500 | tcp | |
| AO | 154.71.224.9:40500 | udp | |
| DZ | 105.97.157.130:40500 | udp | |
| KZ | 178.91.167.50:40500 | udp | |
| MX | 187.192.185.201:40500 | udp | |
| UZ | 90.156.160.12:40500 | udp | |
| RU | 178.67.165.88:40500 | tcp | |
| EG | 102.189.164.188:40500 | udp | |
| IR | 80.250.196.82:40500 | udp | |
| YE | 178.130.118.237:40500 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\E9E2.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
memory/2916-8-0x0000000000C20000-0x0000000000C22000-memory.dmp
\Users\Admin\AppData\Local\Temp\673518148.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
\Users\Admin\AppData\Local\Temp\185484754.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/3048-112-0x000000013FF70000-0x000000013FF76000-memory.dmp
\Users\Admin\AppData\Local\Temp\2354925334.exe
| MD5 | 6946486673f91392724e944be9ca9249 |
| SHA1 | e74009983ced1fa683cda30b52ae889bc2ca6395 |
| SHA256 | 885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd |
| SHA512 | e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9 |
\Users\Admin\AppData\Local\Temp\1763513759.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
\Users\Admin\AppData\Local\Temp\226361571.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
\Users\Admin\AppData\Local\Temp\1079436413.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
memory/2344-147-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2344-148-0x0000000002200000-0x0000000002208000-memory.dmp
memory/1436-151-0x000000013F1C0000-0x000000013F757000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f971568090cbd32c045f51c377190943 |
| SHA1 | eec01601cc2be76d217fea7d4a20f37d1f026570 |
| SHA256 | e23913f482cbea29b231a03ef75d83e9131252f08b515fbf59c70d29bed1c6b4 |
| SHA512 | 96fd286788a40bd99d19d7375bfc8f00310251d366ce39911fa5bdc649af80c666cb95ad6546b7fae258414cac843fdbb9d3a8ab31ae472610993eea71c39437 |
memory/2624-160-0x000000001B500000-0x000000001B7E2000-memory.dmp
memory/2624-161-0x0000000002750000-0x0000000002758000-memory.dmp
memory/2672-167-0x0000000000250000-0x0000000000270000-memory.dmp
memory/2828-166-0x000000013F240000-0x000000013F7D7000-memory.dmp
memory/2672-169-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2404-168-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2404-170-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2672-171-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2672-173-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2672-175-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2672-178-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2672-180-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2672-182-0x0000000140000000-0x00000001407EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 22:37
Reported
2024-11-16 22:40
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 968 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\2941726316.exe | C:\Windows\Explorer.EXE |
| PID 968 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\2941726316.exe | C:\Windows\Explorer.EXE |
| PID 4664 created 3392 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4664 created 3392 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4664 created 3392 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2802026625.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AF6A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1441620776.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2802026625.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3122314675.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208963388.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2148524255.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2941726316.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\1441620776.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4664 set thread context of 4408 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 4664 set thread context of 1176 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\1441620776.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\1441620776.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3122314675.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\208963388.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2148524255.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AF6A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1441620776.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ | C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe"
C:\Users\Admin\AppData\Local\Temp\AF6A.exe
"C:\Users\Admin\AppData\Local\Temp\AF6A.exe"
C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1c91ea5545d6de00ddedfeada11b71df432015127ea18692dd90827f0046.exe" --channel=5020.0.826378198 --type=renderer
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 780
C:\Users\Admin\AppData\Local\Temp\1441620776.exe
C:\Users\Admin\AppData\Local\Temp\1441620776.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\2802026625.exe
C:\Users\Admin\AppData\Local\Temp\2802026625.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\3122314675.exe
C:\Users\Admin\AppData\Local\Temp\3122314675.exe
C:\Users\Admin\AppData\Local\Temp\208963388.exe
C:\Users\Admin\AppData\Local\Temp\208963388.exe
C:\Users\Admin\AppData\Local\Temp\2148524255.exe
C:\Users\Admin\AppData\Local\Temp\2148524255.exe
C:\Users\Admin\AppData\Local\Temp\2941726316.exe
C:\Users\Admin\AppData\Local\Temp\2941726316.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| UZ | 217.30.162.161:40500 | udp | |
| RU | 194.186.84.81:40500 | tcp | |
| US | 8.8.8.8:53 | 161.162.30.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| IR | 5.232.126.125:40500 | udp | |
| US | 8.8.8.8:53 | 125.126.232.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| YE | 134.35.100.89:40500 | udp | |
| US | 8.8.8.8:53 | 89.100.35.134.in-addr.arpa | udp |
| AO | 129.122.185.117:40500 | udp | |
| US | 8.8.8.8:53 | 117.185.122.129.in-addr.arpa | udp |
| IN | 59.91.192.115:40500 | udp | |
| US | 8.8.8.8:53 | 115.192.91.59.in-addr.arpa | udp |
| IR | 2.190.67.184:40500 | udp | |
| IR | 151.241.234.162:40500 | tcp | |
| US | 8.8.8.8:53 | 184.67.190.2.in-addr.arpa | udp |
| SY | 88.86.12.98:40500 | udp | |
| US | 8.8.8.8:53 | 98.12.86.88.in-addr.arpa | udp |
| UZ | 62.209.135.143:40500 | udp | |
| US | 8.8.8.8:53 | 143.135.209.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| YE | 46.35.79.193:40500 | udp | |
| US | 8.8.8.8:53 | 193.79.35.46.in-addr.arpa | udp |
| UZ | 90.156.163.98:40500 | udp | |
| US | 8.8.8.8:53 | 98.163.156.90.in-addr.arpa | udp |
| RU | 45.150.25.234:40500 | udp | |
| US | 8.8.8.8:53 | 234.25.150.45.in-addr.arpa | udp |
| UZ | 45.150.26.122:40500 | tcp | |
| KZ | 37.99.52.150:40500 | udp | |
| US | 8.8.8.8:53 | 150.52.99.37.in-addr.arpa | udp |
| UZ | 217.30.162.244:40500 | udp | |
| US | 8.8.8.8:53 | 244.162.30.217.in-addr.arpa | udp |
| IR | 188.215.221.55:40500 | udp | |
| US | 8.8.8.8:53 | 55.221.215.188.in-addr.arpa | udp |
| RU | 212.3.146.135:40500 | udp | |
| US | 8.8.8.8:53 | 135.146.3.212.in-addr.arpa | udp |
| UZ | 90.156.194.146:40500 | udp | |
| US | 8.8.8.8:53 | 146.194.156.90.in-addr.arpa | udp |
| IR | 93.119.67.90:40500 | tcp | |
| KZ | 88.204.209.230:40500 | udp | |
| US | 8.8.8.8:53 | 230.209.204.88.in-addr.arpa | udp |
| BY | 46.56.85.158:40500 | udp | |
| US | 8.8.8.8:53 | 158.85.56.46.in-addr.arpa | udp |
| SY | 95.212.73.0:40500 | udp | |
| US | 8.8.8.8:53 | 0.73.212.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\AF6A.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\1441620776.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\321WJBEQ\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\2802026625.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/4188-44-0x0000000000140000-0x0000000000146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3122314675.exe
| MD5 | 6946486673f91392724e944be9ca9249 |
| SHA1 | e74009983ced1fa683cda30b52ae889bc2ca6395 |
| SHA256 | 885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd |
| SHA512 | e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9 |
C:\Users\Admin\AppData\Local\Temp\208963388.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\2148524255.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
C:\Users\Admin\AppData\Local\Temp\2941726316.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
memory/3832-76-0x00000276A2100000-0x00000276A2122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfsb0lda.k21.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/968-85-0x00007FF767240000-0x00007FF7677D7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cc6cfea44f94d487d302fe97587a055e |
| SHA1 | 557162e994c02df41a16f0aec6ae9b6dab3ac9eb |
| SHA256 | 7569944335801a4a9ad619291599faab03d1f1e6915042b32c7c80aa49803fe3 |
| SHA512 | 9a19216612bd0724d7f7d346966699766ac09e2480239d8af2036f6239c248c9df4b45d8b57c64e4016d1eb8b9e20fe0f45fb09cad37a96668db5ddefbf58ee6 |
memory/4664-104-0x00007FF613740000-0x00007FF613CD7000-memory.dmp
memory/1176-106-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/4408-105-0x00007FF7C36A0000-0x00007FF7C36C9000-memory.dmp
memory/4408-107-0x00007FF7C36A0000-0x00007FF7C36C9000-memory.dmp
memory/1176-108-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-110-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-112-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-114-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-117-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-119-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-121-0x00007FF668E50000-0x00007FF66963F000-memory.dmp
memory/1176-123-0x00007FF668E50000-0x00007FF66963F000-memory.dmp