Analysis Overview
SHA256
3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0
Threat Level: Known bad
The file 3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
Phorphiex family
Phorphiex payload
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
XMRig Miner payload
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 00:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 00:23
Reported
2024-11-17 00:25
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C957.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106969163.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C957.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C957.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\106969163.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\106969163.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\106969163.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\C957.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\106969163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe
"C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe"
C:\Users\Admin\AppData\Local\Temp\C957.exe
"C:\Users\Admin\AppData\Local\Temp\C957.exe"
C:\Users\Admin\AppData\Local\Temp\106969163.exe
C:\Users\Admin\AppData\Local\Temp\106969163.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| KZ | 92.47.230.214:40500 | udp | |
| IR | 2.177.144.169:40500 | tcp | |
| IR | 2.181.218.207:40500 | udp | |
| IR | 151.241.234.162:40500 | tcp | |
| UZ | 195.158.22.210:40500 | udp | |
| RU | 188.124.116.191:40500 | udp | |
| IR | 188.212.145.214:40500 | udp | |
| SY | 77.44.162.69:40500 | udp | |
| IR | 2.187.42.28:40500 | udp | |
| IR | 46.248.34.105:40500 | tcp | |
| AO | 102.213.97.19:40500 | udp | |
| IR | 78.38.107.167:40500 | tcp | |
| IR | 2.181.218.27:40500 | udp | |
| IR | 2.178.140.117:40500 | udp | |
| UZ | 195.158.21.74:40500 | udp | |
| IR | 2.187.82.204:40500 | udp | |
| MX | 189.130.171.120:40500 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\C957.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
\Users\Admin\AppData\Local\Temp\106969163.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 00:23
Reported
2024-11-17 00:25
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4004 created 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\1394617377.exe | C:\Windows\Explorer.EXE |
| PID 4004 created 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\1394617377.exe | C:\Windows\Explorer.EXE |
| PID 1180 created 3448 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1180 created 3448 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1180 created 3448 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\180117683.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8993.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3130721910.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\180117683.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50045733.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542527217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1394617377.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\862815267.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\3130721910.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1180 set thread context of 4340 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 1180 set thread context of 2768 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\3130721910.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\3130721910.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8993.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3130721910.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\50045733.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\542527217.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\862815267.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe
"C:\Users\Admin\AppData\Local\Temp\3523dedcaafb867201cbc845a91715109830fbc04d3a12b3185f178355bd31d0N.exe"
C:\Users\Admin\AppData\Local\Temp\8993.exe
"C:\Users\Admin\AppData\Local\Temp\8993.exe"
C:\Users\Admin\AppData\Local\Temp\3130721910.exe
C:\Users\Admin\AppData\Local\Temp\3130721910.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\180117683.exe
C:\Users\Admin\AppData\Local\Temp\180117683.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\50045733.exe
C:\Users\Admin\AppData\Local\Temp\50045733.exe
C:\Users\Admin\AppData\Local\Temp\542527217.exe
C:\Users\Admin\AppData\Local\Temp\542527217.exe
C:\Users\Admin\AppData\Local\Temp\1394617377.exe
C:\Users\Admin\AppData\Local\Temp\1394617377.exe
C:\Users\Admin\AppData\Local\Temp\862815267.exe
C:\Users\Admin\AppData\Local\Temp\862815267.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 151.245.127.72:40500 | udp | |
| SY | 188.160.12.49:40500 | tcp | |
| US | 8.8.8.8:53 | 72.127.245.151.in-addr.arpa | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 94.190.92.110:40500 | udp | |
| US | 8.8.8.8:53 | 110.92.190.94.in-addr.arpa | udp |
| IR | 2.191.88.20:40500 | udp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 20.88.191.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| UZ | 5.133.123.159:40500 | udp | |
| US | 8.8.8.8:53 | 159.123.133.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| PK | 39.48.235.83:40500 | udp | |
| US | 8.8.8.8:53 | 83.235.48.39.in-addr.arpa | udp |
| AO | 129.122.141.24:40500 | udp | |
| UZ | 213.230.69.230:40500 | tcp | |
| US | 8.8.8.8:53 | 24.141.122.129.in-addr.arpa | udp |
| KZ | 2.133.136.145:40500 | udp | |
| US | 8.8.8.8:53 | 145.136.133.2.in-addr.arpa | udp |
| IR | 2.189.231.17:40500 | tcp | |
| IR | 2.177.40.206:40500 | udp | |
| US | 8.8.8.8:53 | 206.40.177.2.in-addr.arpa | udp |
| KG | 212.112.121.59:40500 | udp | |
| US | 8.8.8.8:53 | 59.121.112.212.in-addr.arpa | udp |
| UZ | 94.141.69.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.69.141.94.in-addr.arpa | udp |
| KZ | 37.151.202.166:40500 | udp | |
| US | 8.8.8.8:53 | 166.202.151.37.in-addr.arpa | udp |
| MX | 189.141.139.39:40500 | udp | |
| US | 8.8.8.8:53 | 39.139.141.189.in-addr.arpa | udp |
| RU | 31.47.175.39:40500 | tcp | |
| KZ | 5.76.2.36:40500 | udp | |
| US | 8.8.8.8:53 | 36.2.76.5.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\8993.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\3130721910.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\180117683.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/1728-34-0x00000000001D0000-0x00000000001D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\50045733.exe
| MD5 | 6946486673f91392724e944be9ca9249 |
| SHA1 | e74009983ced1fa683cda30b52ae889bc2ca6395 |
| SHA256 | 885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd |
| SHA512 | e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9 |
C:\Users\Admin\AppData\Local\Temp\542527217.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\1394617377.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
C:\Users\Admin\AppData\Local\Temp\862815267.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
memory/2336-62-0x00000141B8CD0000-0x00000141B8CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ep4tqtz3.ryu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4004-76-0x00007FF7DCFC0000-0x00007FF7DD557000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2ac3c9ba89b8c2ef19c601ecebb82157 |
| SHA1 | a239a4b11438c00e5ff89ebd4a804ede6a01935b |
| SHA256 | 3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e |
| SHA512 | b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432 |
memory/2768-94-0x000001A1485A0000-0x000001A1485C0000-memory.dmp
memory/1180-95-0x00007FF6C7B60000-0x00007FF6C80F7000-memory.dmp
memory/4340-96-0x00007FF67A180000-0x00007FF67A1A9000-memory.dmp
memory/2768-97-0x00007FF77FCB0000-0x00007FF78049F000-memory.dmp
memory/4340-98-0x00007FF67A180000-0x00007FF67A1A9000-memory.dmp
memory/2768-99-0x00007FF77FCB0000-0x00007FF78049F000-memory.dmp
memory/2768-101-0x00007FF77FCB0000-0x00007FF78049F000-memory.dmp
memory/2768-103-0x00007FF77FCB0000-0x00007FF78049F000-memory.dmp