Analysis Overview
SHA256
10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b
Threat Level: Known bad
The file 10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex, Phorpiex
Xmrig family
xmrig
Phorphiex family
Suspicious use of NtCreateUserProcessOtherParentProcess
Phorphiex payload
XMRig Miner payload
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 22:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 22:33
Reported
2024-11-17 22:35
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\265712083.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E263.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E263.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\265712083.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\265712083.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\265712083.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E263.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\265712083.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
"C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe"
C:\Users\Admin\AppData\Local\Temp\E263.exe
"C:\Users\Admin\AppData\Local\Temp\E263.exe"
C:\Users\Admin\AppData\Local\Temp\265712083.exe
C:\Users\Admin\AppData\Local\Temp\265712083.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| N/A | 127.0.0.1:49199 | tcp | |
| N/A | 127.0.0.1:49201 | tcp | |
| N/A | 127.0.0.1:49205 | tcp | |
| N/A | 127.0.0.1:49207 | tcp | |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| UZ | 213.230.127.60:40500 | udp | |
| UZ | 89.236.216.14:40500 | tcp | |
| US | 198.163.204.6:40500 | udp | |
| RU | 92.124.152.236:40500 | udp | |
| IR | 151.233.61.190:40500 | udp | |
| MX | 187.235.150.54:40500 | udp | |
| UZ | 217.30.162.244:40500 | udp | |
| IR | 5.134.199.85:40500 | tcp | |
| MX | 189.230.99.20:40500 | udp | |
| IR | 2.182.195.184:40500 | udp | |
| UZ | 93.188.80.134:40500 | udp | |
| IR | 37.254.96.229:40500 | udp | |
| KZ | 2.133.136.145:40500 | udp | |
| UZ | 90.156.162.106:40500 | tcp | |
| IR | 78.38.107.167:40500 | udp | |
| KZ | 2.135.217.22:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\E263.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
\Users\Admin\AppData\Local\Temp\265712083.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 22:33
Reported
2024-11-17 22:36
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4992 created 3360 | N/A | C:\Users\Admin\AppData\Local\Temp\2801310509.exe | C:\Windows\Explorer.EXE |
| PID 4992 created 3360 | N/A | C:\Users\Admin\AppData\Local\Temp\2801310509.exe | C:\Windows\Explorer.EXE |
| PID 2036 created 3360 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 2036 created 3360 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 2036 created 3360 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1860711583.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\569332624.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 4384 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 2036 set thread context of 4320 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\569332624.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\569332624.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9635.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\569332624.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3278832195.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2239920500.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\145608347.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{EB81D010-0A87-4E77-B686-29FD891FD89D} | C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
"C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe"
C:\Users\Admin\AppData\Local\Temp\9635.exe
"C:\Users\Admin\AppData\Local\Temp\9635.exe"
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
tools\NativeUpdater.exe 10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe 10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe.tmp --nativeLauncherVersion 788 --nativeLauncherVersion 788
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe --nativeLauncherVersion 788 --nativeLauncherVersion 788
C:\Users\Admin\AppData\Local\Temp\569332624.exe
C:\Users\Admin\AppData\Local\Temp\569332624.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
"C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=gpu-process --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2116 /prefetch:2
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
"C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2576 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
"C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe
"C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,12231009377213019228,3537473072267892786,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1860711583.exe
C:\Users\Admin\AppData\Local\Temp\1860711583.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\3278832195.exe
C:\Users\Admin\AppData\Local\Temp\3278832195.exe
C:\Users\Admin\AppData\Local\Temp\2239920500.exe
C:\Users\Admin\AppData\Local\Temp\2239920500.exe
C:\Users\Admin\AppData\Local\Temp\145608347.exe
C:\Users\Admin\AppData\Local\Temp\145608347.exe
C:\Users\Admin\AppData\Local\Temp\2801310509.exe
C:\Users\Admin\AppData\Local\Temp\2801310509.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| US | 8.8.8.8:53 | piston-meta.mojang.com | udp |
| US | 13.107.246.64:443 | piston-meta.mojang.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | piston-data.mojang.com | udp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:49752 | tcp | |
| N/A | 127.0.0.1:49754 | tcp | |
| N/A | 127.0.0.1:49757 | tcp | |
| N/A | 127.0.0.1:49760 | tcp | |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| N/A | 127.0.0.1:49778 | tcp | |
| N/A | 127.0.0.1:49783 | tcp | |
| N/A | 127.0.0.1:49786 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.xboxab.com | udp |
| US | 13.107.5.91:443 | www.xboxab.com | tcp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| US | 8.8.8.8:53 | title.mgt.xboxlive.com | udp |
| IE | 13.69.141.149:443 | title.mgt.xboxlive.com | tcp |
| US | 8.8.8.8:53 | device.auth.xboxlive.com | udp |
| US | 40.122.167.99:443 | device.auth.xboxlive.com | tcp |
| US | 8.8.8.8:53 | 91.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.247.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.141.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.122.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:50107 | tcp | |
| N/A | 127.0.0.1:50114 | tcp | |
| N/A | 127.0.0.1:50117 | tcp | |
| N/A | 127.0.0.1:50122 | tcp | |
| N/A | 127.0.0.1:50128 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:50132 | tcp | |
| US | 8.8.8.8:53 | launchercontent.mojang.com | udp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:50173 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vortex.data.microsoft.com | udp |
| US | 20.42.73.28:443 | vortex.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:50213 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| RU | 178.71.163.141:40500 | udp | |
| KZ | 2.133.136.145:40500 | tcp | |
| US | 8.8.8.8:53 | 141.163.71.178.in-addr.arpa | udp |
| KZ | 2.133.70.66:40500 | udp | |
| US | 8.8.8.8:53 | 66.70.133.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| KZ | 89.218.244.178:40500 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 89.36.108.131:40500 | udp | |
| US | 8.8.8.8:53 | 131.108.36.89.in-addr.arpa | udp |
| KZ | 92.47.143.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.143.47.92.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| KZ | 95.58.216.162:40500 | udp | |
| US | 8.8.8.8:53 | 162.216.58.95.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 151.232.164.243:40500 | udp | |
| US | 8.8.8.8:53 | 243.164.232.151.in-addr.arpa | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| UZ | 94.141.69.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.69.141.94.in-addr.arpa | udp |
| KZ | 178.88.234.149:40500 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 178.67.165.88:40500 | udp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 88.165.67.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| MX | 201.108.200.21:40500 | udp | |
| US | 8.8.8.8:53 | 21.200.108.201.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| UZ | 90.156.166.108:40500 | udp | |
| US | 8.8.8.8:53 | 108.166.156.90.in-addr.arpa | udp |
| KZ | 84.240.235.134:40500 | udp | |
| US | 8.8.8.8:53 | 134.235.240.84.in-addr.arpa | udp |
| IR | 2.191.61.218:40500 | udp | |
| US | 8.8.8.8:53 | 218.61.191.2.in-addr.arpa | udp |
| IN | 59.91.192.115:40500 | tcp | |
| KZ | 77.240.41.134:40500 | udp | |
| US | 8.8.8.8:53 | 134.41.240.77.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\9635.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
| MD5 | 69f6d2214bfcafa9236c1747b398a1af |
| SHA1 | c3bbb7986ab728493a05c57dcb7f1a383258f3c9 |
| SHA256 | f13212b3462edbd5cd14d81b5397bf2f0281cc221c5464f4875c0ab0b84fe884 |
| SHA512 | 59d55fa5a8d0518bf645001742e5ec0bbb0af6ca9203ed46ca9cc453e5be883de11e978bdfd68677a5f3653ee7a97cc1eeb8633fd4c5ece95790d166d1b22cd8 |
C:\Users\Admin\AppData\Local\Temp\10901a912b1705fa6dbada787e7249166c8570e0e88a9413b536208fb0c2fd2b.exe.tmp
| MD5 | e8c86a94df2f0a4c5edfa59cfc420329 |
| SHA1 | 4212cb446a2dce87225ca20ba45e10befb084062 |
| SHA256 | 60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1 |
| SHA512 | 273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e |
memory/2388-14-0x0000000000400000-0x00000000006D7DB0-memory.dmp
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt
| MD5 | fd255b681713d0bc128c80536f1fa4db |
| SHA1 | 2572bb562e961ae23895387acc52af018921f6a9 |
| SHA256 | 8ec7b241961d398f2166e02e484a0b8e70212b9fe82a320f94ed5b6922e2a4bb |
| SHA512 | 32af6159e4b0203f65d558f8022fc436814ec48828734401812fb8665fe5f44b1711b59bdc1df3417e7954b240d536fa4733548a1f017eeaf5166e3d5323963a |
C:\Users\Admin\AppData\Local\Temp\569332624.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Temp\game\chrome_elf.dll
| MD5 | 4c8f4689e087a9843a79d6ec923f00df |
| SHA1 | e6e37e19a04a55944bdfba6f9359bbe0ea8402fc |
| SHA256 | 8753acc450280e1c5ef5a09dac46d1fd873f1e66d771affc4b4afbfa3d59e3c4 |
| SHA512 | 30b205bb4b391b23a7bb15248daa42af3ec34225d169a0d70325ea7e1422d298ea3376962e689311074346dd7aec3579789748e3aaa17b04ab72de6c0a0fc5e0 |
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json
| MD5 | 270ade77b4358d215f30e625a2b172f6 |
| SHA1 | c407dcca0525ba0bb9d9c5d63ac78f7aa03ae03a |
| SHA256 | 7afa6b9dacfb8d546c8f9c386601999232fa9aa6bcc9879503ab2433e053c3c5 |
| SHA512 | af56d5ec7d603284db4fe340f5f5fc00c48b0e3d065660cb3d40088e6c4c35675cb7eaa6504803a11120d49e40d7aeb0f5321aacef79e5b074369722056bcd62 |
C:\Users\Admin\AppData\Local\Temp\game\cef_extensions.pak
| MD5 | c294094045246da46492204f2920d74f |
| SHA1 | 229367ac0be0a2da9d6338cba6f45c07f790140c |
| SHA256 | 8e8882c3d420231e1ddd1329e259cd8dc38fe392727aa74cfa4df57125d4cfb3 |
| SHA512 | 03543e3c436a8b42b3f5bb942de468b4898172720ddef5597535b81347581ae0c89bf91e6bef3b91c796ca5bd393a865b2fa53ba70b2fda6578c640b14ab92cd |
C:\Users\Admin\AppData\Local\Temp\game\cef_200_percent.pak
| MD5 | 50a6d9ab74ebfaeda5baa28997149977 |
| SHA1 | 1ad557cecf3d54a5fbe471ceab189d344fef347c |
| SHA256 | c8f7697bdb4aa19722b975dd2126baf8c2edb5c0a58e2d64a6fefa4cbb8335ec |
| SHA512 | 31647191b432f82ff24a41a16abb77512bed2f3105791079d795304452e2bff89f618202023fd133cdc79f80d02647093edebca9e43c19cbd4d2bed4c8d35180 |
C:\Users\Admin\AppData\Local\Temp\game\cef_100_percent.pak
| MD5 | 4cec40309dc9e4bf0f0cc915aeb6c9ac |
| SHA1 | 2da1b18943265f473f6b87b63132dbb2398ff487 |
| SHA256 | 6267cb52b0ca5593cf402139e736eb4f1d6bc3f2eab4c6deb99934711050ef4f |
| SHA512 | e684d4d735762e87c8556c164379f97f59b8b4077e2f4c49ae43610ca2a3994ad45839cf6edef4e741a4f1fb345413e4246fb5901dd52bd98c9a2f60866817c7 |
C:\Users\Admin\AppData\Local\Temp\game\cef.pak
| MD5 | fa6c54291dcc13acc9dbec30923fe503 |
| SHA1 | 8f157cc1ab1c18bf47305543b149604797cd6587 |
| SHA256 | 455dd904ba68305f45682ae9c776a87cb2cb67bbe2d20e13cf97a812b68cf5f4 |
| SHA512 | 135773297e6481f66d53a6a6bb887e0e0ba17ded9f76e2cef2db48a095a4c301eda84feb46f2a44425f4d34accd72765ee324d30a0692aa0c6d2c513166d51de |
C:\Users\Admin\AppData\Local\Temp\game\locales\en-US.pak
| MD5 | 16a6914c9637812257e28b2cc4e6d809 |
| SHA1 | 82212a642c90b51b8f67e517ee8782da841b658f |
| SHA256 | 8fe734f556d97e7c07d02e839a16565f7db88ca7091ca3903a9b153a68aaaf72 |
| SHA512 | 6efbab68c8b036fd73951295a5f65718003deea46db838f6f263133452e09be45ce006246850facbb1922766f42c2ce1796722cecfcc8495921a7bcd9402a446 |
C:\Users\Admin\AppData\Local\Temp\game\icudtl.dat
| MD5 | 9732e28c054db1e042cd306a7bc9227a |
| SHA1 | 6bab2e77925515888808c1ef729c5bb1323100dd |
| SHA256 | 27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e |
| SHA512 | 3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335 |
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt
| MD5 | 45d8315aef0ae69006d5ef873d0c0b31 |
| SHA1 | 021a2cda7e2315289206e3a49802278700376680 |
| SHA256 | 936ee78a7972a02276c7a977046114f4307673a26e80aba7a7fc9d4d7f9a1d76 |
| SHA512 | f3937916bd6762833260d305882ca528adb3f0b96874bd721cd3902fb82a39a22ca859bb8fa4de3ee78c9a0c9d661d4254243dc7515232f9d80526f903721f79 |
C:\Users\Admin\AppData\Local\Temp\game\libEGL.dll
| MD5 | e646266652e470489b912c39d4bbfacf |
| SHA1 | fb5af43ba527f0b03f6e5db0dba870df7acecf77 |
| SHA256 | e2b31cbbbd97c2d098a44acd5e1c84e092f4bf4c535fe6ebc3703a78387c03a9 |
| SHA512 | fe5ca9d6dc63ca6982702072aa34ada2d43c3c781e1fac09e324b17b3ed05bb8d203c3c08c0fe4aaf8985781933a8a3f2cd8e4928b0fe567c46a8da46f481b3f |
C:\Users\Admin\AppData\Local\Temp\game\libGLESv2.dll
| MD5 | 79d62a3663c1963c90ed84045e0450ac |
| SHA1 | cd3b444ec31e78c7bef960f91548de1e1f2ae487 |
| SHA256 | 896cd68e51fb5c4937717e350b911d5dd18dc285f466fb712ccb0578fff1365e |
| SHA512 | 2da35a7db00ad3c22de448abfe3eb4425088b51db0f093dcfb0e934edee40567ebc8cd1bf0768bb1a43a397a49ce5d388edf2427fcc09eb48033b8baea918520 |
C:\Users\Admin\AppData\Local\Temp\game\v8_context_snapshot.bin
| MD5 | cdeec3342ce88d4de5426032a6bf6a53 |
| SHA1 | b36ec3c3b20a7a06ff282d696f12b51904b073a4 |
| SHA256 | ca88a3c7034da1de52d35823fba0fe80ba5376ab70cdc1841e6aaf25c1f5dd6e |
| SHA512 | 54874cd76589124b750fdae90be75e1acf374566d56352c15dbbee98c095aad0e56db142952a808b08e4817bf5f8e176ffdc4ff79110d8661ee4f7ede16b2ea9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\1860711583.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/4676-424-0x0000000000A60000-0x0000000000A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3278832195.exe
| MD5 | 6946486673f91392724e944be9ca9249 |
| SHA1 | e74009983ced1fa683cda30b52ae889bc2ca6395 |
| SHA256 | 885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd |
| SHA512 | e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9 |
C:\Users\Admin\AppData\Local\Temp\2239920500.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\145608347.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
C:\Users\Admin\AppData\Local\Temp\2801310509.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1iih4tl.zc4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/736-460-0x000001DFF5650000-0x000001DFF5672000-memory.dmp
memory/4992-465-0x00007FF633020000-0x00007FF6335B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network Persistent State
| MD5 | b38b8a330156eb7677945e77c8cf77dc |
| SHA1 | da8a3a817aac14fdacf1fad98ae5f3f6016f456c |
| SHA256 | 3ee58c6cbcd92c049736f417a284876fb56a969870358cd3718a3e8ec7f9b184 |
| SHA512 | 7e49e5c8fc2f37eb28ac8764084c5fedf1c784e6cfeb9a3ded1c01ba43951dab786ffec7d944d784adaf14c40c59906d78bcd81e0aa7622acb9424d295a4ed06 |
C:\Users\Admin\AppData\Roaming\.minecraft\webcache2\Network Persistent State~RFe591b00.TMP
| MD5 | 78bfcecb05ed1904edce3b60cb5c7e62 |
| SHA1 | bf77a7461de9d41d12aa88fba056ba758793d9ce |
| SHA256 | c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572 |
| SHA512 | 2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fc35bf2367ee5c6feb084ab39f5c26eb |
| SHA1 | cd9742c05391a92780a81fe836797a5909c7f9c1 |
| SHA256 | 7ad08f1c2e7df4102eb3a6d213f4a0c245300c275fd53e463655a8ab9fa3ec64 |
| SHA512 | 0b6662ea93907902c9f5db98bed4e9d322a69e7b8df921f6b8bd8026fdbfa556b0afe29013e3ecc8982a6339c48b4fe371ba587f02c39de72cb3840ed0e6747b |
memory/4320-493-0x0000019E54200000-0x0000019E54220000-memory.dmp
memory/2036-492-0x00007FF6EDD30000-0x00007FF6EE2C7000-memory.dmp
memory/4384-494-0x00007FF6A1970000-0x00007FF6A1999000-memory.dmp
memory/4320-495-0x00007FF770240000-0x00007FF770A2F000-memory.dmp