Malware Analysis Report

2025-01-18 04:25

Sample ID 231219-yt3ypsabdr
Target 8d7e517c9d3b5fe21ea0a658e206556f
SHA256 60a6eab67a9084a9062e927af2d3baa082b68f03cd695cc10973fbd162a644d0
Tags
quasar office04 persistence pyinstaller spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60a6eab67a9084a9062e927af2d3baa082b68f03cd695cc10973fbd162a644d0

Threat Level: Known bad

The file 8d7e517c9d3b5fe21ea0a658e206556f was found to be: Known bad.

Malicious Activity Summary

quasar office04 persistence pyinstaller spyware trojan

Quasar RAT

Quasar payload

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Program crash

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 20:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 20:05

Reported

2023-12-20 01:18

Platform

win7-20231129-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Api Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\update.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2248 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 2248 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 2248 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 2248 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 2712 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2540 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2540 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2540 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\WerFault.exe
PID 1612 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1612 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1612 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1612 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1612 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1612 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1612 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1612 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 1612 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 1668 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 2688 wrote to memory of 824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe

"C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe"

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

"C:\Users\Admin\AppData\Local\Temp\Bscz.exe"

C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe

"C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

"C:\Users\Admin\AppData\Local\Temp\Bscz.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1640

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Qi3p8NvMxhxk.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E8B13CE9-874D-4178-9461-D2D0E392F752} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp

Files

memory/2248-0-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/2248-1-0x0000000000400000-0x0000000001944000-memory.dmp

memory/2248-2-0x0000000005A80000-0x0000000005AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 da04b8b301da6f2ecebb644755789f11
SHA1 729f54b2b2ffae91112afd57a1a2cea0d5452d8d
SHA256 5f56117d2c8521c71ab4dfb877513ad926908d77fe77dc538081dfb1e87e42e2
SHA512 93541bfe6470451d539785bcc473ac06d8f91cfe728349e280a8641b438a69caf7a5f0071448f23c778153af7f435cfb558116bea2d36f3dc8a762134163606e

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 9b7320ebe49f06e1516682207fdda20a
SHA1 df4240b6fbe91f87d949923ef30718439ec471c6
SHA256 b8b6664774a867bf4d86c43ae95bb13b927206ef97947f5c80bb1e371f32933e
SHA512 6fcea8b4632cb742deba9651ee4a1efb0c2775b9eb285d761c8910dedb12079c7a9b5ec595581bd65c66463f3067cd448e4002a4680cee5e0a2263dc0dc94a9b

\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 19b65bd9fb20ce1189200d847bb1eb1a
SHA1 f043cd5a09c724f65b112d8af8935a89cfa2d2d1
SHA256 740305d655f05dcad293dc539c6e83ef963e35419d7be7e38902dda254e6c6a1
SHA512 d5f40833f880f93a04868e0741fe40c4ca12da8a1925ea4cd62f59d945032c022d7bdb2abe090b2f06cec3c9cb3f0d1586e65a5475054c999792f797103676f5

\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 bd3ed3011ae4cfcc1ebc42abe425f9b4
SHA1 c2f4abd1a1bdfce8f7a547c8a877bcae75e8bf57
SHA256 93f702977781b3aef5088a234f3b9420ed782c8955a0bac8af0c1c1e2687c674
SHA512 d6dbbae365a27e1aaccc2cd0586f1afc49c135a02d6587b82cf0bb0194eed03d185fcb4cd94e68d71a9f1261d7d14cecf7beb7f1dd4458c67f7f5c5707bf4431

\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 3c37891b288f39159f86cc2c1d842e8d
SHA1 512a6d3e78400057863eae91ddea806fdaa9b7dd
SHA256 ce67c9a7764014b9ec9568e1a29a0f4f2e4a76c1e693744d4975eb013be66f88
SHA512 8382fc5ef4a8c0c2f123d099c7654502e6cc36d612cd0df1ddd7eac10152e366c660782b3cbb78f4ddba946276901b20b4cfb38220d93bc3ee31ac35298d46f2

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 68590b914e17508317c6ebc893d6a149
SHA1 ab69b8a2d935e3aac7fd6bfe78f22729edaac7c5
SHA256 3cd0d6b78f76d72a9c5ce7dc20530874a20e5e893d16fc6ebf73fb299c0abc1b
SHA512 58d8e3f21d975577e9047a6e4bd3b1ced43a2a0c02b80d52ce41bfc565bea869e673bf8cba083ea318760e43844577d5e8eac325d720f2ce955553ea8b88d6b9

C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe

MD5 7b9932eaeae1e01cd4ceacee4d281481
SHA1 dd06811bec512802e30c476e5ba42543c13a7ae1
SHA256 e95b4d1756ef2b4564120b99c4ce9297ecee7ae4bd3ab4105d75c95e79359a17
SHA512 96a55239585ab233768a2ecf6347d317edf7abb3f3a8b4a4b0a8f5a7fa4977affb6261e3e62c4ea2e23592c245125c68f8650a6f66aa76db55e9085f347960df

\??\c:\users\admin\appdata\local\temp\tjlhmjuvlwj.exe

MD5 4c587420a8165046ab3a852a1cd53b5f
SHA1 4c9df6a2b3a454a2d5d607eafd917fe9902ae4ce
SHA256 ea845a717a53078063063783be3fb5c83d585b827a29b13071c67305157281d0
SHA512 6da407f97d5430ebc975c3b3e7a217b94ad9e8c95dc921b8a05c501124f5d58d85dcbcbb3edc4e3fe9037661b87040ae1beb933a66796a663c133f1ea0824acc

\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe

MD5 83221f2e824c016c5bc26ce4541baa48
SHA1 8202182e4801a0a56474ed35fdd3b8c9bc4c7964
SHA256 a347aff3a8b6633760563447155f74dad6c43c15f32e5b955c840d0907a53c8b
SHA512 bd6e2da0b79c307c18a11d77486a2a661fb3aaa21600c2f6b2e00bc88823dbe86dd46fdf0d2eef90e693ebd640162d70d90b1c0285f7b3f669c646c6ef13de62

memory/2248-41-0x000000000D7F0000-0x000000000DB94000-memory.dmp

memory/2712-46-0x0000000000280000-0x0000000000624000-memory.dmp

memory/2712-64-0x0000000000280000-0x0000000000624000-memory.dmp

memory/2712-67-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/2712-85-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/2248-91-0x00000000742F0000-0x00000000749DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25402\botocore\data\appsync\2017-07-25\examples-1.json

MD5 0584826da7a4673f48cd89e852d26691
SHA1 b423744f648cccdf3e210124b230635d4eda4975
SHA256 2b76fa9a06248adbdc79c4a5253fa257f1100139af3b24aceba88a248e6ac748
SHA512 ca79e3e2211f927e61c39874c19f6c6e3dade609eb1776f51e85262a3d8341a5cf9f1dd13b0f5e7ea6e45322cd58ee3b46c3df5a0239033303a84e46571577b8

memory/2712-52-0x0000000000280000-0x0000000000624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25402\botocore\data\backup\2018-11-15\paginators-1.json

MD5 8aa5cf05946154bb458837d470900282
SHA1 167bb1ca7291bcfc1d881ca364cc966d428ff6ae
SHA256 84843b01b2c1b18e1f3d234b54c834752e399ba72364a1538dba7764b878ce3f
SHA512 026db05c7a91284b26faa199add32f1c05069b017aede8afd7a3f9b487da74984ddfdfa547af646bb6ebfedd2806d5a606809270a5a18d87d87b317e284eb236

C:\Users\Admin\AppData\Local\Temp\_MEI25402\botocore\data\cloudfront\2015-07-27\waiters-2.json

MD5 99bf7fd6a0bae78836407f02c6657c8a
SHA1 0a20b75298f52e9da04cf8056a99cbede7901a48
SHA256 8f3444a83c5f220d8a6e63d83a60e86200efcbc9960042b4c3f3661280aa8472
SHA512 3c4077e5dac77db12a3afb7b835f31cc2fd1976051113004416bf62b9bbe20730d9a4c45d003aae8952d2ce0fe5e362f2c1698d67c4293dc36e0222724f31106

C:\Users\Admin\AppData\Local\Temp\_MEI25402\botocore\data\cloudfront\2015-07-27\paginators-1.json

MD5 a9f3dde6c5e456029a2ebe3de89651cc
SHA1 5344f7ad65a011ea4acdb6c947e4182f14909222
SHA256 23bbb88753057e506f1497a672b2c74a7eee3ab11e0c573b79c586ab00f1185f
SHA512 381c046e6c2c567ded302c42f3bbbf03e8c272c9e9a985113c387bdf006011e61cf137704537f694f3db4f3f9f045c5153d86223692b065d76bd0e030bf1d060

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Africa\Lagos

MD5 3b4db0742fa8267a2d7efa548a30f9a2
SHA1 cdca88d4a729d78b572a5d3cc84f3e99989e4f46
SHA256 c6a2cd1aa6e31d9d49b881ec1173fdb6d5d26f7bfe196a7df12275e292fab14c
SHA512 fa356585caa8325d3f74251256c3ca2b894904dcdb7ad5f2ed6bb7ec12c98fdf3d69a080a0af413ef7ca101f9ccbc2fb28fb6d5d6a6d2f84281ccbd798fbb6da

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Africa\Kigali

MD5 b77fb20b4917d76b65c3450a7117023c
SHA1 b99f3115100292d9884a22ed9aef9a9c43b31ccd
SHA256 93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682
SHA512 a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\America\Guadeloupe

MD5 ea7e528e528955259af3e65d86ba8e49
SHA1 8ee1b0d3b895b4195e0b580b67c0b2ee1010d29d
SHA256 d7b813d9e39530528917fb32a700cfb9d905c061228eb45f90153e68adc52fad
SHA512 95996a13576f1b9b6a58c4636dd56ce44e5c702416ad83d59cbaa588962c9a5865ff1c5f3769a475eaf9994d2baaa429eb99869fd4110b93679d94f81cbb1304

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Africa\Djibouti

MD5 9953f5fda89eba25650d5e42adda36cd
SHA1 cc8958cc687a1f8169316cd7a93764403e935740
SHA256 52e9bc212ce945a0e1f37d223647d1bdaf919fa353bae1873568e28390b6f59a
SHA512 61b92a1a9978a58597f2fec6949605ee0fbcd7e4a4e31861a0647c20d1ebbdefb01c72a9f24a77807a1129c6720f3a1fc0e7fc9ab83789caebfc69a9540ce763

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Africa\Conakry

MD5 09a9397080948b96d97819d636775e33
SHA1 5cc9b028b5bd2222200e20091a18868ea62c4f18
SHA256 d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997
SHA512 2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 0aca5ac6a474bb38d7b5afc0f217303a
SHA1 42be24d03b3cafafc1a40c555b964ebe7f4e1539
SHA256 5fc1516b1ea804269007f182a009eb2774d921af3a696b84e4b7034f81d00744
SHA512 dc5a4673de0e05e5af1e25cd961beb019461bedfded0ed189f81ef05a5c1ab3224ba25cb0a9f4e77679b1c84317a177c2b503a95b0cba2384484ebadeb4c4d3e

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Europe\London

MD5 3d9add8c0dd4f406b8a9ad6f1219fb95
SHA1 c0b30d0940f65b8819cd6628d0670784dcb6b344
SHA256 c69d3cc15e384d932601d06aa69b6d0c285001bf2d44dd3719c121b7df5162d6
SHA512 9c82987fa7919fc333f3f04b309345b91240fa60d205a144b6ca10fcb586fddc3e9725e71da5a588eddd21bf99265dfe1495bb16df4367a82df57e103a324c78

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Etc\Greenwich

MD5 9cd2aef183c064f630dfcf6018551374
SHA1 2a8483df5c2809f1dfe0c595102c474874338379
SHA256 6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d
SHA512 dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\Europe\Skopje

MD5 df200e39cf4a3fc361cc50ea123c782e
SHA1 bc2b1fffe065751e03511f6155b8ba43fe84b65c
SHA256 4a1541562d80377db1286443010583fab454215d42061fa80d8b938e66876412
SHA512 44ee7ad3ac466417eea7db9b6919b66cf916702efe079ddb7e076ce04f6f68ea71053b8b4a588fe3677518f0d6590dbe321c11803512269e65a154c6394c378a

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\PRC

MD5 09dd479d2f22832ce98c27c4db7ab97c
SHA1 79360e38e040eaa15b6e880296c1d1531f537b6f
SHA256 64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6
SHA512 f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

C:\Users\Admin\AppData\Local\Temp\_MEI25402\pytz\zoneinfo\UCT

MD5 38bb24ba4d742dd6f50c1cba29cd966a
SHA1 d0b8991654116e9395714102c41d858c1454b3bd
SHA256 8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2
SHA512 194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 babe503ac797d382fe02f1e4b5bdc6d2
SHA1 033e33f3de9426d0705a4a36a8cd448c600c2507
SHA256 47431a93a74a5ac28ea58e4c18742b19c7cdea036e36fca3ede24c95867cd246
SHA512 446035bb8446f91662ec48d222131006783529ff60c144d554fcd8a5eed2a2ff3c93f7b56b048ff5f9053d7d7b20c7a3f1e8025297491b074ffdf457b3d3b695

memory/2712-1508-0x00000000080E0000-0x0000000008484000-memory.dmp

\??\c:\users\admin\appdata\roaming\subdir\update.exe

MD5 4b0ff3d51f938c410ae9ad7e85a0d170
SHA1 c451b3668c5c4fd979aa674219505cbdc3968b18
SHA256 36c58411f71d0a3a8659557f94fa15f9b6daa45d9e93e3f0ddba03eccec7214b
SHA512 3a259da04abd2ce5173dede2197f1e836ab6078b1d4aac100da284a83eb65e432c9e25c85e98963b77abd967340425d171253d16f66e29844e2a3bedc7949aee

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 3581b2e66bcfeda463e3ab1694337d24
SHA1 d5e3734205453f314c28abaeaf3b51378a55918a
SHA256 a3e777a622b813f56cfb519781c5731c1e47adad08a1d168943e5a5d3c9f60d7
SHA512 37e8545fd1aa86410b6cf7eea42303c9c0d78f12c9ceed4875cac37aa4293deb441e724ff0238860b611f0c885b31a237b07e3cc702d02684c2c1223c6437000

memory/2792-1522-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2792-1523-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2792-1521-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2792-1559-0x0000000006E60000-0x0000000006EA0000-memory.dmp

memory/2712-1569-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/2712-1587-0x0000000000280000-0x0000000000624000-memory.dmp

memory/2792-1570-0x00000000742F0000-0x00000000749DE000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI25402\VCRUNTIME140.dll

MD5 e08c57d7d92590796a0bcf3fa8d9677e
SHA1 221c0d315b967f2a5e9ab608143d33842d54b272
SHA256 6932709266a6747df2a70bedd50913c15dedeea9f579a99ba72be144b02576ee
SHA512 733c7a47b8e211fb7f42769ceca84d0354e16629e72045549d2179dcebf59e825aed739c405f9232b662d6fa9fc2670d1a1f40a92f6eede5cdc989081beb36f0

\Users\Admin\AppData\Local\Temp\_MEI25402\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI25402\libcrypto-1_1.dll

MD5 4cf96259e8ad218373f36901e3bb1ac2
SHA1 85c7cf0012f2c3b78c28a533bafd730b4a1da21d
SHA256 9616a97fa71ce6ee8ff89cdc27a2cde7e2ce19a85f9bc552cec72ed4c534f82f
SHA512 f15b6a528b7370ae1545de2316e18092d34e81f1e65d83b211df2026388ae081af6b3f33c3baf05e3fa938380471081a1768b42941b901bff19c0c3ad0eb3d24

\Users\Admin\AppData\Local\Temp\_MEI25402\pyexpat.pyd

MD5 11a886189eb726d5786926cc09f9e116
SHA1 d94295368a1285681fb03bac0553eb1495d43805
SHA256 dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031
SHA512 405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684

\Users\Admin\AppData\Local\Temp\_MEI25402\_hashlib.pyd

MD5 5fa7c9d5e6068718c6010bbeb18fbeb3
SHA1 93e8875d6d0f943b4226e25452c2c7d63d22b790
SHA256 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA512 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

\Users\Admin\AppData\Local\Temp\_MEI25402\unicodedata.pyd

MD5 b8994a63e3604613c29b6bfeb2f78c02
SHA1 b74ba1f642b9b4c3447880c822ab1d770a73ed8f
SHA256 e790a1cd5a51a1e721a6370dc8a94a512d0af5b3f9ab08a38cdd1c410826a772
SHA512 d45e14cd8f8b2c74501d528eea55832c68f7d6a773a51f240155056720090a359d94f909ee9a93bdea2c665440dbb44af60dc1ba0e0382c9ff7a925e89bce892

\Users\Admin\AppData\Local\Temp\_MEI25402\_decimal.pyd

MD5 91dc45f399f04777af626ffcd51fa0f3
SHA1 769fd0dc0dc3c399550355d3b96bdd9fed589210
SHA256 896320d1f3dd2d72bdeb4c8665a691e69e47281c322c3b8f7e3fdec2164169f3
SHA512 2826fca9155a5c38c638c52f358a9a2696bd51dc97fab5f9a4ef78e5f020f98e243682a8869c496e9650510399c5bf26917168c2eb6f51d69299115d9075d7d0

\Users\Admin\AppData\Local\Temp\_MEI25402\_cffi_backend.cp38-win_amd64.pyd

MD5 d5a6f5d5da83875d0488016eec8ae581
SHA1 47adb4e62ad406fa2b159da715d3a1883a4ed423
SHA256 4036345ff2c0434a67073507088cbefc561a4d04456cab6169017d1e501383d9
SHA512 a30d70ea79f296b63df6a629b5d0bccc1f8570fadb1886939c1b7470522247a959ef5284d8515c30fbd53a00088ca287eafe50171bb944a03008819d1c02001a

C:\Users\Admin\AppData\Local\Temp\_MEI25402\_cffi_backend.cp38-win_amd64.pyd

MD5 da1dbc729196ddc32913a64cf28f3a02
SHA1 ac06ce15f688745f65e964a40251447f06b93323
SHA256 b65908851a767a14bb7a15274be3a03ce7cb3582d2ac3b08c1c798f7d6f2637f
SHA512 9df569a1877c5f4390231b47ae70e4d07e056ab866418e66fbb86eb776ac4403b652fd638cef7335506861bea2481598706df0d0ba14120aa180632d206d00d7

\Users\Admin\AppData\Local\Temp\_MEI25402\cryptography\hazmat\bindings\_openssl.pyd

MD5 3433eff12293911bca28f0a05cc6d15b
SHA1 9c5f65538625e9ffbe687bf8aa7965e760644a7a
SHA256 4d8c2259b3e3e267d027e1dec5a835f6df585574eb9c8e8151167b2495e86e51
SHA512 d8c5c2252d82d11dbcc7aa55d4132cc9318388b9ff71cab908b44f60347bf000a9a1620464810dd483285b6ac43dfdc9c5bb9a18fabd372c4f443675ef4085a9

C:\Users\Admin\AppData\Local\Temp\_MEI25402\cryptography\hazmat\bindings\_openssl.pyd

MD5 79bf04997233ef528efb71e20cbcf834
SHA1 f43c1b808ed7a13100a2cea33b39c9a940eeaa44
SHA256 d8faf6a7970b0be28c4c9b03e3415b088fb088d72263441e47a447a152e85ec9
SHA512 1bcdbfd686574222559938b10a98be76ac5c7e8739cbc937243743ca0ccd6439a9d47de690150e12b77e8b0459a3609e13818f8e3948746216667f4fc7b1a6b2

C:\Users\Admin\AppData\Local\Temp\_MEI25402\_decimal.pyd

MD5 64edf58f09e52eb879f9a93722398bbd
SHA1 53359434ad094169bc13a16b9e595b5210141b18
SHA256 1eb59f75865dff9b164e46e5fbc121db0e97c6bd3992968c8472018718c2e58a
SHA512 78bca27fd19e88af8f3f88cd09c020720d7d1602a6f64a7936a8cf51aa1982ec722e92321227dc5766b3a9e1d73002f15dff516a647eb6d55ca46ebaecdbc9c4

\Users\Admin\AppData\Local\Temp\_MEI25402\_elementtree.pyd

MD5 140cf137407c95e518d3cdbb64418d00
SHA1 7c00dd8f1b039fa362340765b43aabe255859a59
SHA256 442c4f5af70dfd83d0cec1912fe6f86864c9687caefd1f69831f5658d25bece5
SHA512 441ccd516e12b3341dcc157c82697fbfd0aaf2b1186186a5859a7b4a9a36f41f39cdcf189f272e7878a86e19aa6778f72e755da167e730aebf631e97f4b81831

C:\Users\Admin\AppData\Local\Temp\_MEI25402\_elementtree.pyd

MD5 5385c531623b735c48cdae189abe7e93
SHA1 4b46cde630af70922cdd39a501c2ee912c6da03a
SHA256 76f1a02cabc390ce3dc13be3f3fddc43195a545d5418c78d9278b3115575065a
SHA512 eca34e7aa70629193ded71f2c724990007e53012e6b475ce04ee8e6259db060c7b82e5173adcebba41d5b9acfa9592997537d4ed4f36ee7123d316c60cfc53c1

C:\Users\Admin\AppData\Local\Temp\_MEI25402\unicodedata.pyd

MD5 84fb3f1017c5ab32f535c97d68b5026c
SHA1 4154ae7eeadd3b0ecafb69ffc9fc87ed101ada17
SHA256 50524b3e093511262e2df2113e746788345a399a1e009f78d1a50218aeba908b
SHA512 1df0754a4bbfdc1feecdddc2aef5b8af1fa26d1731c6fb1ea6708ba095e3577dc6d3834e7c790f29920020036145ead2dfdf1dd7f845bce130353f7e10aab7b4

C:\Users\Admin\AppData\Local\Temp\_MEI25402\certifi\cacert.pem

MD5 48cb6fb2b30d9780bc5b63dca5cee02f
SHA1 df979f8d4516205aad3ab1d8bbaf6cb223d30213
SHA256 8fd0de05912b8530c7ad046b63b2b67a87f25f60e23189ac90848358d17fa8dc
SHA512 602e25505f9b547ee3207bd145c8ba53a96c77885ed8c4466fc4e6478511d61b2b4f5aac340b7afc756ce4447cec4384f771f25af2e5e178b5620bfadf2f5c0c

\Users\Admin\AppData\Local\Temp\_MEI25402\_queue.pyd

MD5 1fc2c6b80936efc502bfc30fc24caa56
SHA1 4e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA256 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512 d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

\Users\Admin\AppData\Local\Temp\_MEI25402\_lzma.pyd

MD5 60e215bb78fb9a40352980f4de818814
SHA1 ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256 c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

C:\Users\Admin\AppData\Local\Temp\_MEI25402\_lzma.pyd

MD5 f9091f7a243ec9bff034147a7ed3ed1c
SHA1 f05f9c191cfc8446497afd64a3aaadf044d4a257
SHA256 04892149c4c2145b00cc863395eba93340eef0d9f2f66937d06446326f964ceb
SHA512 8f4e2cc80e64d2c54d468d68a93d71c99af32b01cd3a5511323ab84e10c49a188833fd4980d43969d789c263e0e4d5aea718d89eb6cc16e1857134a104905bad

\Users\Admin\AppData\Local\Temp\_MEI25402\_bz2.pyd

MD5 fc0d862a854993e0e51c00dee3eec777
SHA1 20203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256 e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512 b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

\Users\Admin\AppData\Local\Temp\_MEI25402\libssl-1_1.dll

MD5 3f9d7f8d3b50b32624fc8f37b15fcaec
SHA1 e8378afa3634996e2799873df5e38c63a4311a84
SHA256 8ff8344f020be1609239a8646e247b3eb124a53aad34c0f8424ae1599aacc8bd
SHA512 90aab225d795acc5af2f40ccb4056e897d95883f58267c484562565eb5a3883d1be3395b0d20f837667cf28bed5137cba5a120b8d2ec5c1f51e7930eb6035dc4

C:\Users\Admin\AppData\Local\Temp\_MEI25402\libssl-1_1.dll

MD5 7a74acc01406957d331555e64904a6e5
SHA1 be1149aee405e1c5552181e7734c948153224e86
SHA256 c28fc51583fc2d212a9b6cb4a01f3aaed84364639ca063a354a4152a62b32d02
SHA512 3725b0870d1b6a664bbc7eab77dd36eb70c62187080f0293c0f688faed2d7035ea49848d64b93eaf7ae170f5ac416a50bd7b8b3d0c866c64f45bcd9d653961a3

\Users\Admin\AppData\Local\Temp\_MEI25402\libcrypto-1_1.dll

MD5 4de35a1591812cc79b8f1332b5330095
SHA1 e8f9f0e36799ebf391913e3f5296fa743ef9d4b8
SHA256 a22fc2d4c76113c7772aa93839876e9cb5b173e0dbb11893b02d161b9d95e94a
SHA512 2122c637d56747711b8069066034aad9d7b5d7c96c65c62688bf9adae42cfb91cfbbe33813944863baba781306753bc3d09224f6f47c0ba72606d4f14eeb209e

\Users\Admin\AppData\Local\Temp\_MEI25402\_ssl.pyd

MD5 d0617945baa680cdd17f4f426548d390
SHA1 2f8085d2cc02b142b06562fd3c5176d509efb9b2
SHA256 72ea5048e77dd074799b614e55cb2ab0507fb959c2c6b83ab5836110c12771ff
SHA512 a28de49d860d2f5417a3e523edead969d0da0f390804865dbf8a055c131827911948e84ba83cf00cf5b88f7c30325031ec9b996edd366497ac346f77a1215b9a

C:\Users\Admin\AppData\Local\Temp\_MEI25402\_ssl.pyd

MD5 84dea8d0acce4a707b094a3627b62eab
SHA1 d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256 dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512 fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

\Users\Admin\AppData\Local\Temp\_MEI25402\select.pyd

MD5 a2ab334e18222738dcb05bf820725938
SHA1 2f75455a471f95ac814b8e4560a023034480b7b5
SHA256 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA512 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

\Users\Admin\AppData\Local\Temp\_MEI25402\_socket.pyd

MD5 1d53841bb21acdcc8742828c3aded891
SHA1 cdf15d4815820571684c1f720d0cba24129e79c8
SHA256 ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA512 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

\Users\Admin\AppData\Local\Temp\_MEI25402\_ctypes.pyd

MD5 8adb1345c717e575e6614e163eb62328
SHA1 f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA256 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA512 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

\Users\Admin\AppData\Local\Temp\_MEI25402\python3.dll

MD5 9779c701be8e17867d1d92d470607948
SHA1 6aae834541ccc73d1c87c9f1a12df4ac0cf9001f
SHA256 59e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf
SHA512 4e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782

C:\Users\Admin\AppData\Local\Temp\_MEI25402\base_library.zip

MD5 36dc6f77905ff8a159cb5b08d964b960
SHA1 62250a10b2806503d82864c27ba6935ae6667cda
SHA256 4fc858be4a31958d09ca6a79e7fa0689b847036429ce8d2a8432d9d188355465
SHA512 40a5bae3bafb9d6515701986843abe817907014137ed281dd65dd05cfbd12d7d88c64e4c6cd4f46e8c00ab35c943736feeb1963540330cec9a122f3b84d24556

C:\Users\Admin\AppData\Local\Temp\_MEI25402\VCRUNTIME140.dll

MD5 18571d6663b7d9ac95f2821c203e471f
SHA1 3c186018df04e875d6b9f83521028a21f145e3be
SHA256 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512 c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

\Users\Admin\AppData\Local\Temp\_MEI25402\python38.dll

MD5 158113481f208742e6fe1c2ce8ceac7e
SHA1 69b38f0307c87960075af9056d3ae0ab3449441f
SHA256 bb92229743ad7005a986bbdc55ea58efc6c8f320b2082082cfca84db138fb6ac
SHA512 165a4914c572937d3f56ac5c5e52ca57a5310a703e343a7a2a9ebfc0dd352383b58e8797cff836fe442db69c33153aa352d27732613ca401058ed1983f5c8957

C:\Users\Admin\AppData\Local\Temp\_MEI25402\python38.dll

MD5 93158562dfc559e7568133d10db56aa9
SHA1 ec2345579c0d478d7a3e0efd3adcb9ae03eafc77
SHA256 3038ab64c88cce78aeffc696b8eab7c64d149639fe048f7d94bf55fd4ababc2b
SHA512 5729e8fe2abf6177a4cb9f699933eadf89cc48d4793f7da09b4ea8ecd2d8fdf6f6df05114772de4006686f5355bd70e5de7fca4a4547fdc3389f3d2b0f503da7

C:\Users\Admin\AppData\Local\Temp\_MEI25402\env.exe.manifest

MD5 942da41600012b292726eb8740e761f1
SHA1 351ae82b367cc4681a25d413c8918644b5a3bf01
SHA256 9753cd50d1d8586029c2d3d11e42c07418597e75299aa545b5e6cdf15053e559
SHA512 33c8d3c1ce6bc864877b23a6690cb31e36909a89b5b101b46e63827ab19e5a933bc45bb48bbb7dffda25fbc86f28ee89ff6b6904fab2e807155a5e2c160df4d3

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 78988cd1c687775ade53ef8847d00a28
SHA1 3e50b2ae072ec6b4871e96d89352fc810c20c310
SHA256 1e53d843c877fe03aaeeb34ba1375dd3239674d3739c8f5eb2cdf61cf1a6f914
SHA512 d695e01c8a20f9bea4b9822945deea2d639144da36fb0c408e24ca016fc32a8ff8388de35f36aebe9b98e34f0a30f38c5956723cf9ff16ebddd3b001f26f0a7b

\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 4be38c93cd8ae009d89b3b070728da1e
SHA1 14d068825300c9dbac5c01a38208d2098c83d0c9
SHA256 9c9e9910fb9dc389b1a6cc84495c4b1cb10c56c8c8496dd224de1427a14503bc
SHA512 d589db261e4a532cdeb53a5d1775f9d4521054d4cc002f4aa0c57f8c5cd51d9ee23615698bd4a13562002f309afcef4041f6959b73213f58ffd3593ebf61889a

C:\Users\Admin\AppData\Local\Temp\Qi3p8NvMxhxk.bat

MD5 4e38ba238ab3281ce49bd0dcda582975
SHA1 d22dd9e4a9fb188c1d223e5b4b6ea9b8dca94b7f
SHA256 14904ac8f7d98e91d4faa1f90137c091c4414615fae1dcf005e82af719259bcb
SHA512 fc95e8d3bb1bb035428333e0252cb6583191cc7eacab0494dbb3d3d0184f16452580ee26082c1ffabf05e52e2a67914ca9ffa95e08355e68980a9a17b51adf81

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 2427d9faaf7b69ff77410563f963a331
SHA1 dee2a7d912d26bb22efb8361f2dd3022c93cefad
SHA256 2a6273f2182e4850157fd8777199c39ceb44d449104a3c1118c0c3cb6893f583
SHA512 1315c943bdd942391b343947370b30fab310ad5e5b5f2d2ada54ffe6d9794eb93e5da3de621997e4591af7d5f0ea2b8f586947c9b6530c878c78ead7b46fb482

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 0a1755c5d6da275696531fb8443276d2
SHA1 fddb925859c6421de83494a3a69cdfec96e39410
SHA256 d2871802c03d32ad99858eebd3ef02469d47c0d3377f1edd1c15abdda099ada5
SHA512 b6bbc7eaa0024b99c9661a69e32b6f466053304b3e1a74fd96bb48af472be0df85c0cafbed558cfaf95dbef38bd7ea6e9f7751acdb66a52f5ba2e6b7706c7fa9

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 27256b9abb3133565e38cd17d76e4eac
SHA1 4f843fa1edd65d63995787a863b9a9f826fe3aec
SHA256 92d08ff427782bdff34ad8e84512bfbd463fb2801d13ed4a5d7314e61f648cd2
SHA512 6c3e3dcd33401b12c2463e90f0d227eb89bbcbdd127a23e8e9f0b44c70c75b41e282ffd6519f03f6e78d3a380e2ba2566993526455945eb77ff99f0ab376c34a

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 fd4c844e9eca7ba1f7fe086c3c83397c
SHA1 a487c7f6b4cb16db2677ade41af7b89fa16a2691
SHA256 3708b6f6d85bcc58f2adb4856a7dc13941ac202a18e4b1467b7cf7ec89c14c60
SHA512 bcc1d8ed4317b5b8f02d62a4fe6898752034950049b088d7bdce09edd7f6a3d174653825d18a5906b126e54a7a319a9fd17bcf52c26ad28dd29a24acb9b147c0

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 a2d21b2fc8151f86d5266991a18a6778
SHA1 cb3c6a74a823e36b95aedadc12182130ca72ad39
SHA256 9aca91919b0a72e095432b31e821f9839d5fc92dc23dc62a856e76ce80e78e92
SHA512 d211f83c16af731c6cc1d7743a303d22c86972ce0c038d59376277e9ffe5d19263eca8f55cd90950a46ec676f2da7e7f10d1bc05e8daf6749855ba91ecbe8a43

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 5bd33f2944e9caa34fcb2686a9ffaa2b
SHA1 dbaf961d2e0cd774c3348d9fb0f596e443e8f0f3
SHA256 137a8edb2105e305e92c355fa88bbeaa0876554932e330746ef8ad5549389d1c
SHA512 0b15d9b0060d46a0156cf95dcf65a44f47c467131230a3ced5b29af0be4a1aa1502ac618571fe190c6b4fe24ed07ecf709226a0942ec612686d35c392e7b1e5d

\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 2a3671a399f1e1527c28aa7dbc8be638
SHA1 3733162088b23f39d4a6c26ea7f43d890fcb0b1f
SHA256 7f3998b69284884f5b888241a686aeb9ef7920a20cddfa31455d8574f0f403db
SHA512 c223bdb9d0998583c674aafe1e2f835828a207a9adf7b5e12698886f1e1a069602925763e491369320e9b1427c6d2f7465d19e4e353bcddf021acfa45cb6aae6

memory/2016-4714-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2016-4716-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2016-4715-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/2792-4717-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2016-4718-0x0000000006E90000-0x0000000006ED0000-memory.dmp

memory/2016-4713-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2016-4720-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/2016-4721-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/2792-4723-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/2792-4722-0x0000000006E60000-0x0000000006EA0000-memory.dmp

memory/1668-4727-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/1668-4730-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/1668-4731-0x0000000006D70000-0x0000000006DB0000-memory.dmp

memory/1668-4729-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/1668-4728-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/1668-4734-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/1668-4733-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/824-4741-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/824-4742-0x00000000742F0000-0x00000000749DE000-memory.dmp

memory/824-4743-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/824-4744-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/824-4745-0x0000000006FF0000-0x0000000007030000-memory.dmp

memory/824-4747-0x00000000003B0000-0x0000000000754000-memory.dmp

memory/824-4748-0x00000000742F0000-0x00000000749DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 20:05

Reported

2023-12-20 01:18

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe"

Signatures

Quasar RAT

trojan spyware quasar
Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Api Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\update.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Windows\SysWOW64\cmd.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Windows\SysWOW64\cmd.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 3452 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 3452 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 3452 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 3452 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe
PID 5036 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 5036 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 5036 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Windows\SysWOW64\schtasks.exe
PID 5036 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 5036 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 5036 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 3012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 3012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Bscz.exe C:\Users\Admin\AppData\Local\Temp\Bscz.exe
PID 244 wrote to memory of 5212 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 244 wrote to memory of 5212 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 244 wrote to memory of 5212 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 244 wrote to memory of 6928 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 244 wrote to memory of 6928 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 244 wrote to memory of 6928 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 244 wrote to memory of 7544 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 244 wrote to memory of 7544 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 244 wrote to memory of 7544 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 7544 wrote to memory of 7608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 7544 wrote to memory of 7608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 7544 wrote to memory of 7608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 7544 wrote to memory of 7640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 7544 wrote to memory of 7640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 7544 wrote to memory of 7640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 7544 wrote to memory of 7756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7544 wrote to memory of 7756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7544 wrote to memory of 7756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7756 wrote to memory of 7912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 7756 wrote to memory of 7912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 7756 wrote to memory of 7912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 7756 wrote to memory of 7984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 7756 wrote to memory of 7984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 7756 wrote to memory of 7984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 7756 wrote to memory of 8064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7756 wrote to memory of 8064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7756 wrote to memory of 8064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8064 wrote to memory of 8136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8064 wrote to memory of 8136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8064 wrote to memory of 8136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8064 wrote to memory of 8160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 8064 wrote to memory of 8160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 8064 wrote to memory of 8160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 8232 wrote to memory of 8388 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 8232 wrote to memory of 8388 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 8232 wrote to memory of 8388 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 8232 wrote to memory of 8456 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 8232 wrote to memory of 8456 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 8232 wrote to memory of 8456 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 8232 wrote to memory of 8536 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 8232 wrote to memory of 8536 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 8232 wrote to memory of 8536 N/A C:\Users\Admin\AppData\Roaming\SubDir\update.exe C:\Windows\SysWOW64\cmd.exe
PID 8536 wrote to memory of 8616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8536 wrote to memory of 8616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8536 wrote to memory of 8616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8536 wrote to memory of 8636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 8536 wrote to memory of 8636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 8536 wrote to memory of 8636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 8064 wrote to memory of 8696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 8064 wrote to memory of 8696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe
PID 8064 wrote to memory of 8696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\update.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe

"C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe"

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

"C:\Users\Admin\AppData\Local\Temp\Bscz.exe"

C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe

"C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZPir7R0lgWyP.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 244 -ip 244

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 2412

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

"C:\Users\Admin\AppData\Local\Temp\Bscz.exe"

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 2400

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7756 -ip 7756

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAnv9mNGqMPu.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8232 -s 2412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8232 -ip 8232

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jLnwyRsGjUJu.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8696 -s 2368

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 8696 -ip 8696

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fL4YPqG8To7H.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5340 -ip 5340

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 2268

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpsA1Va6N2En.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5740 -ip 5740

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1CoERHXBT5Oz.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 2424

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6004 -ip 6004

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 2420

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8xVKh48LzsYN.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1928

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6768 -ip 6768

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xf5igb5ibpcy.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 672 -ip 672

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B9tKIHPhW3jU.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5300 -ip 5300

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YLJtVbjzS2vA.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 2396

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iDzuIS5VgjUd.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1244 -ip 1244

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWZWlecr5UdX.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2408

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2268 -ip 2268

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 2408

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2628 -ip 2628

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UnjkKdhuAiFi.bat" "

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8RO7XFNykfP.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8548 -ip 8548

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8548 -s 2420

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9sMSgA9A6ttO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8296 -ip 8296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8296 -s 2416

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qNzo4adSWvgo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5816 -ip 5816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 2428

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WzC48yWRx2w6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5580 -ip 5580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 2404

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5DXnYjyrMKzV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6488 -ip 6488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 2412

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7120 -ip 7120

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6pbwW0M758k.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1840

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O9eycHEz5fxa.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7236 -ip 7236

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 2404

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcGh7gey3ve4.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 2396

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33wGQewoZsTo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 2408

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2000 -ip 2000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsovWj4hpyER.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1872

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gT0N97v13Cvl.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8148 -ip 8148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8148 -s 2420

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NydjXXPJTEjB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8120 -ip 8120

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8120 -s 2404

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XetzY5SCzpfw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8772 -ip 8772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8772 -s 2416

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RRL9DiHNSqh.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8240 -ip 8240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8240 -s 2416

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qP5T07nW6AGG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5668 -ip 5668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 2412

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmX9Fe0RbezW.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5520 -ip 5520

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1340

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qa5VpmHWyI9H.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6432 -ip 6432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 2392

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwPxDbVyJOAj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6892 -ip 6892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 2400

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUB30JTLGr0P.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 2400

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fwz3ixj0iI0z.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1952

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80b8BT7wChWj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8056 -ip 8056

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 2408

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 fw1.sshreach.me udp

Files

memory/3452-0-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/3452-1-0x0000000000400000-0x0000000001944000-memory.dmp

memory/3452-2-0x0000000006010000-0x00000000065B4000-memory.dmp

memory/3452-3-0x0000000005EC0000-0x0000000005F52000-memory.dmp

memory/3452-4-0x0000000005F80000-0x0000000005F90000-memory.dmp

memory/3452-5-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 1d7f1c99ffb61cbff1e81735e806e320
SHA1 82b418b6e39897225085f77c6b473727bbd0d71e
SHA256 cacb097df50ac2a0c81d0a4f89f459b4b2ba7a7beae0b3c4169e2df97b2c17a4
SHA512 9c11d113c011b86695ebd918e95e8f5dfaad45cb218d60d3c710d8d4be312b747cb624cf7d3f634e72cfafd7538818a0bd0c97f558ed92b45ed411b8f03e71a1

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 b3c9cfd0cf50e181cea23bf656c746d5
SHA1 08c404eb0f11a4bacbe0a0fdd35a2ad9104feccd
SHA256 dad68973fece4833be10ee850d51a458ff22e6238b571f214f2da6f4fe704c6f
SHA512 e1e919e5a2995252888fbebc8762b787ce04d2a6edcef96d7d7de3a99fac29ce9714c197ae8562ab287d55fbd8c19370e7a709eb6843ef2dba3050f0b2542aed

C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe

MD5 a36d8271a26bfa2dc88f9b80c589075c
SHA1 53233e535895bf285d9db34511a2d691151cdd65
SHA256 a46a35bc1eb42060c5e6dd0d7d85a64d3d47415552647d9a1207853394c8bb69
SHA512 0c3b81989e13006f752d399d30a2b09af3d86e01c4ce29d734af5aee7983a3b3101899d2b6726f86009fa99b30cb7bf02485107dd9b3f9333c69e48e89441df3

memory/5036-23-0x00000000005A0000-0x0000000000944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe

MD5 2d357bb0ce3b32590b7f7235e0d94f02
SHA1 a1717b5c5668738aac54ef06db9af40290890e82
SHA256 35731ff149b5938100afc59419d08c38ca4b7316bbc58bd9c2a8e27122dd460b
SHA512 c1170e4ff08c8a46a3dbe18f4f06060031cc68f5ce9f3e70ce26dea47541a3f5ebcb185c90ac1a6dad428c3018c3296a66836a108020f632ba74ea604ef850c5

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 5fa95b1a9438e0b8eb654f394c8d5867
SHA1 ecd720cedec2298a1b3a124f312e7b608cd45910
SHA256 90b4ea3171c4eaee3ec42c816669a5e8365b07e49916de5fc8fa75849acf21d6
SHA512 56bc5b6fe44d026841375ca7aaf8dfad3b56be834d98f743186530136256542909eb1b50d36f4e2ff092fec45c6019355f5957d22ed40e978a9f937f0eab70a1

\??\c:\users\admin\appdata\local\temp\tjlhmjuvlwj.exe

MD5 381c1c899bb6a556b4acbf2fb82f3e7e
SHA1 44f9a1eea4444dfa844178ea4cff7fd189396aea
SHA256 a8b2a61a60d9a484a21291ac7c289abc4c623bd726ed1f7ae70f7623b02f8380
SHA512 6227fc4f40534d3aa3165565004fbb4e7176f2fffd378df203a875dd66cccead2bd3926773aab9bba97333b238b298332c5c99d05d33889101b206350310530d

memory/3452-44-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/5036-51-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/5036-55-0x00000000005A0000-0x0000000000944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\botocore\data\backup\2018-11-15\paginators-1.json

MD5 8aa5cf05946154bb458837d470900282
SHA1 167bb1ca7291bcfc1d881ca364cc966d428ff6ae
SHA256 84843b01b2c1b18e1f3d234b54c834752e399ba72364a1538dba7764b878ce3f
SHA512 026db05c7a91284b26faa199add32f1c05069b017aede8afd7a3f9b487da74984ddfdfa547af646bb6ebfedd2806d5a606809270a5a18d87d87b317e284eb236

memory/5036-124-0x0000000006F20000-0x0000000006F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\botocore\data\appsync\2017-07-25\examples-1.json

MD5 0584826da7a4673f48cd89e852d26691
SHA1 b423744f648cccdf3e210124b230635d4eda4975
SHA256 2b76fa9a06248adbdc79c4a5253fa257f1100139af3b24aceba88a248e6ac748
SHA512 ca79e3e2211f927e61c39874c19f6c6e3dade609eb1776f51e85262a3d8341a5cf9f1dd13b0f5e7ea6e45322cd58ee3b46c3df5a0239033303a84e46571577b8

C:\Users\Admin\AppData\Local\Temp\_MEI30122\botocore\data\cloudfront\2015-07-27\waiters-2.json

MD5 99bf7fd6a0bae78836407f02c6657c8a
SHA1 0a20b75298f52e9da04cf8056a99cbede7901a48
SHA256 8f3444a83c5f220d8a6e63d83a60e86200efcbc9960042b4c3f3661280aa8472
SHA512 3c4077e5dac77db12a3afb7b835f31cc2fd1976051113004416bf62b9bbe20730d9a4c45d003aae8952d2ce0fe5e362f2c1698d67c4293dc36e0222724f31106

C:\Users\Admin\AppData\Local\Temp\_MEI30122\botocore\data\cloudfront\2015-07-27\paginators-1.json

MD5 a9f3dde6c5e456029a2ebe3de89651cc
SHA1 5344f7ad65a011ea4acdb6c947e4182f14909222
SHA256 23bbb88753057e506f1497a672b2c74a7eee3ab11e0c573b79c586ab00f1185f
SHA512 381c046e6c2c567ded302c42f3bbbf03e8c272c9e9a985113c387bdf006011e61cf137704537f694f3db4f3f9f045c5153d86223692b065d76bd0e030bf1d060

memory/5036-571-0x0000000006F30000-0x0000000006F96000-memory.dmp

memory/5036-711-0x0000000007CB0000-0x0000000007CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Africa\Lagos

MD5 3b4db0742fa8267a2d7efa548a30f9a2
SHA1 cdca88d4a729d78b572a5d3cc84f3e99989e4f46
SHA256 c6a2cd1aa6e31d9d49b881ec1173fdb6d5d26f7bfe196a7df12275e292fab14c
SHA512 fa356585caa8325d3f74251256c3ca2b894904dcdb7ad5f2ed6bb7ec12c98fdf3d69a080a0af413ef7ca101f9ccbc2fb28fb6d5d6a6d2f84281ccbd798fbb6da

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Africa\Kigali

MD5 b77fb20b4917d76b65c3450a7117023c
SHA1 b99f3115100292d9884a22ed9aef9a9c43b31ccd
SHA256 93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682
SHA512 a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Africa\Djibouti

MD5 9953f5fda89eba25650d5e42adda36cd
SHA1 cc8958cc687a1f8169316cd7a93764403e935740
SHA256 52e9bc212ce945a0e1f37d223647d1bdaf919fa353bae1873568e28390b6f59a
SHA512 61b92a1a9978a58597f2fec6949605ee0fbcd7e4a4e31861a0647c20d1ebbdefb01c72a9f24a77807a1129c6720f3a1fc0e7fc9ab83789caebfc69a9540ce763

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\America\Guadeloupe

MD5 ea7e528e528955259af3e65d86ba8e49
SHA1 8ee1b0d3b895b4195e0b580b67c0b2ee1010d29d
SHA256 d7b813d9e39530528917fb32a700cfb9d905c061228eb45f90153e68adc52fad
SHA512 95996a13576f1b9b6a58c4636dd56ce44e5c702416ad83d59cbaa588962c9a5865ff1c5f3769a475eaf9994d2baaa429eb99869fd4110b93679d94f81cbb1304

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Africa\Dakar

MD5 09a9397080948b96d97819d636775e33
SHA1 5cc9b028b5bd2222200e20091a18868ea62c4f18
SHA256 d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997
SHA512 2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

memory/5036-994-0x00000000081D0000-0x000000000820C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Europe\London

MD5 3d9add8c0dd4f406b8a9ad6f1219fb95
SHA1 c0b30d0940f65b8819cd6628d0670784dcb6b344
SHA256 c69d3cc15e384d932601d06aa69b6d0c285001bf2d44dd3719c121b7df5162d6
SHA512 9c82987fa7919fc333f3f04b309345b91240fa60d205a144b6ca10fcb586fddc3e9725e71da5a588eddd21bf99265dfe1495bb16df4367a82df57e103a324c78

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 dc5943c20e0b5a9a16db42853e01cc4f
SHA1 46828308f24e3e05a10258a7bf716fffb265a719
SHA256 5e1194c8307c8274ab25764dddc2f0aad769e41b81ede74124af9702f0539d92
SHA512 2cd88c3c3f1407968136fd0f258b0adfd8dccc8d21a9fb9467980e62b7d072253ab23328998f67308469d2e4bda9c455ed75c1443e4be9b5a457ea202a750e17

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Etc\Greenwich

MD5 9cd2aef183c064f630dfcf6018551374
SHA1 2a8483df5c2809f1dfe0c595102c474874338379
SHA256 6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d
SHA512 dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

\??\c:\users\admin\appdata\roaming\subdir\update.exe

MD5 ea1c8c8fffa2b7859160fba478ce31c5
SHA1 382115209ae078d4ddaabafc29d1b39842990442
SHA256 104dd104f626d0c57d0d3d31f77fe647dacc1addd90a1dfd950bc78a2f05f739
SHA512 9cd04e2675d56781b169bb44fbe053b00734891a92d9c1c34804d6dad236bc0c51c0fc984dd13ac4c3f2b11b105a7d1c09a310738bd28b5bc40a6d9825bb96b9

memory/5036-1442-0x0000000074DC0000-0x0000000075570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\UCT

MD5 38bb24ba4d742dd6f50c1cba29cd966a
SHA1 d0b8991654116e9395714102c41d858c1454b3bd
SHA256 8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2
SHA512 194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

memory/5036-1444-0x00000000005A0000-0x0000000000944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\PRC

MD5 09dd479d2f22832ce98c27c4db7ab97c
SHA1 79360e38e040eaa15b6e880296c1d1531f537b6f
SHA256 64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6
SHA512 f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

memory/244-1529-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/244-1531-0x00000000005E0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pytz\zoneinfo\Europe\Skopje

MD5 6213fc0a706f93af6ff6a831fecbc095
SHA1 961a2223fd1573ab344930109fbd905336175c5f
SHA256 3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a
SHA512 8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

memory/244-1671-0x0000000006CF0000-0x0000000006D00000-memory.dmp

memory/244-1311-0x00000000005E0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\base_library.zip

MD5 73c9a2034a8445c9645a34fbf7ab2203
SHA1 7834da9b185576789f55ba983e309d049ec638ab
SHA256 def656f69a081f1ed7135da24c23b67903678417a825e8a1ce16cc4ee237b5f9
SHA512 bff6c017571978b2a198e3d604f049fab4751e45397a1f9582fffb079901ae5655532e53d04619c554f72e38bcd8ad61bffcdf85e2c5c3daea594aef13511fc2

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_socket.pyd

MD5 33d939568a061c5cfdc928d25a5da029
SHA1 1699bbf85c54bfc37daffd805f24184c86bb4fea
SHA256 6050f1e6451991f88be9f1fdd3bd363293e686965401b115a2b811f45d3b187b
SHA512 44b8764990a87b487fcbcdd6ae2746103045b1a1c97d91c572109e026099d967223972552e6cf2b7d3635adeff3aa810d6b60cca8ddcd465668213a0d74bed70

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_lzma.pyd

MD5 8373abee9dbbf544ba06d79450ea80c7
SHA1 77aef8f15649fa7fa6cdcb5db238761ca3f66038
SHA256 fb180eec85c32c1cd3674cef4c2fb20ab023de5280c6a06ca14827beef75bd5c
SHA512 d0d1b3440e80a3e311bca578290ecc8e4db9a935f510db3cd383af134b7100177032b8a50fa426d94d9d1acbade222646821c5a5195fac80dd56d119a5ed6efc

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pyexpat.pyd

MD5 9f5b499fd36601db2f6cf1471288dc22
SHA1 77f3d11748ca99c46aaed959d687a9d1ac5d75f7
SHA256 d09b202e9b3cadbe4e0b8803525e49d766e984ab5e593d30bbf408729fab1325
SHA512 03b9b5bb6f8253e7f2893cd824e8151f8dadc29be0309f70b6e02b340528baec9e1371cf5493fd6edd2d40f17d06a5ed0647be0cb7b958e380e79017a4e39142

C:\Users\Admin\AppData\Local\Temp\_MEI30122\pyexpat.pyd

MD5 11a886189eb726d5786926cc09f9e116
SHA1 d94295368a1285681fb03bac0553eb1495d43805
SHA256 dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031
SHA512 405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_hashlib.pyd

MD5 5fa7c9d5e6068718c6010bbeb18fbeb3
SHA1 93e8875d6d0f943b4226e25452c2c7d63d22b790
SHA256 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA512 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_decimal.pyd

MD5 49b8cd4d750fe59adfb1cf8252c3efe0
SHA1 01f6e81b46f417233262df5282e233fdad369686
SHA256 0af14298b022d615fc12de4034068985928fe6b7ab6bae3f5be3a8adad379074
SHA512 eea62d90d09502eb1ed425dd7c43355356c94f35740b78469db6d74b7c362ecec01806b1e1071bb741d68391996f8960b4642e98831525ee2886867d202cd07c

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_cffi_backend.cp38-win_amd64.pyd

MD5 63d215a26af1efa2960d9f20d3f1733e
SHA1 5fa7245beb5ddf1a6f7ef93c60541877c5332d9d
SHA256 6ee661b754b900c6f62b60864b586d564abd6ae70ec178634138ae779672ba16
SHA512 35f68881cb1e3cbfed7ca93f7c7268c217df06f845421f52e01e76c60bccc97aeb91a22d741e7b29a660b736729c7b3a8ba1ea052eb9479139480e310855d981

C:\Users\Admin\AppData\Local\Temp\_MEI30122\cryptography\hazmat\bindings\_openssl.pyd

MD5 76d0d9d8e83a77e90199ce1f6f8b5f5a
SHA1 b8218fc135fe4a035b5e4fc25d85a0a4d60fcda1
SHA256 50881d50b27d297d5bfc1137b53ad54fffc9404aba86ca3e9eca07a9a51aeec4
SHA512 ee9c4189dd7afefed94a05e8021089788f5aa148540239764556b0313e4bf4c925e44da8c240913286b1538aebf9a7870acfd33c67c4028b26daf1407a3d2c69

C:\Users\Admin\AppData\Local\Temp\_MEI30122\cryptography\hazmat\bindings\_openssl.pyd

MD5 b9419202514b3b9852b67557e20d3228
SHA1 8e00b81f2ff2b2623f388194d475c4544f71ac56
SHA256 28bdcc082d06c365be3a0e138aad35fc34c991a5a635829e5cf9c8b33f517f03
SHA512 4735caebc94bd6bc1af449005df621e45e25a5f791a7ecf11744773336dd6045c958ff681f1c6f32ba5de359af948a7ef87067de187d70950d984979b766efd3

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_elementtree.pyd

MD5 4d1c727663b949fa6aba4f9a71693dc9
SHA1 fe77deb2b1da2bd30206e50d48d67ac8b9c84fd6
SHA256 bcd6f366a7125de7e33ade6f20032cb134e530883c5af9fca74fcdfa2151648a
SHA512 df51023da0de97624b354451829b2b2c6bb9d90db5c022dd3d38cdb5e3d4c329c5250e2c34879e95af2e270d454e4bc599a52b4ebaf8ca023f5d60f1a1537ffe

C:\Users\Admin\AppData\Local\Temp\_MEI30122\unicodedata.pyd

MD5 07561b1b4ef603f4e49af11728cb01ba
SHA1 fe43d34937c9950183580314b93ffd16b122ff8a
SHA256 00460393c75a89e64204f81d2df2dd5a9af2505685e3364be9bd27c319f10836
SHA512 21635f0b2e1bc0b51984b286ecb8634e5c6e7e6d000897e1ef5495c235cfa29b2a2dd37e4e3b4cb0a8e1b7bedfa05236394cb61516fbcffd3b8f26d5c0166073

C:\Users\Admin\AppData\Local\Temp\_MEI30122\unicodedata.pyd

MD5 ab37e7c3ce672418bdbc5318b8d8998d
SHA1 0c45bfa46aa8ec5c5832dd3406a3755be3321674
SHA256 a74c6def39ab9000a82a558dc4f4af0e00e21ce782cc5bfe6f7d0856e7d022ef
SHA512 7ac7bf6b7c0b810174fb82d91b77c672cdb07db2e3bec579063f8087b8ef99b97dad65d963ac5533ca5968b642f023ac2cd57e75290ba8cae19d7f838879762a

C:\Users\Admin\AppData\Local\Temp\_MEI30122\certifi\cacert.pem

MD5 c760591283d5a4a987ad646b35de3717
SHA1 5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA256 1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512 c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_queue.pyd

MD5 1fc2c6b80936efc502bfc30fc24caa56
SHA1 4e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA256 9c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512 d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee

C:\Users\Admin\AppData\Local\Temp\ZPir7R0lgWyP.bat

MD5 7a9b8cbae504ae5f319cd840ff19c5d8
SHA1 19fe5deb02f2fde14997ba7a80be7218fb321bf3
SHA256 1295ec594175759a4e1405bc172d8a7f8595b0045afecd107b8bc9fcfe14280b
SHA512 c65aed58d09bc0d560b0d9b48eba66e66d35836f9fabd32b8a0ca099ca0830a456bc23cc892c88f5b74c103584c0579367beb991b5b5028f6850750faf3bee47

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_lzma.pyd

MD5 60e215bb78fb9a40352980f4de818814
SHA1 ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256 c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_bz2.pyd

MD5 fc0d862a854993e0e51c00dee3eec777
SHA1 20203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256 e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512 b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f

C:\Users\Admin\AppData\Local\Temp\_MEI30122\libssl-1_1.dll

MD5 8eff2c03faad21dd88cca960020c26e4
SHA1 6d070a751d51e2f176dd52a60bf0321dc75d9263
SHA256 cc1451dd2bc9b8b705488964205b6d467d1d96dc6c3429e8c105808c50422510
SHA512 210ecb01e540e45c651e0e9167285c231b80497fd46776e4b5959a03fa9c89d7b1d43f128388b272227d247043f8fdc8f4cadb2e3a6f6130b5641c6eaff4b396

C:\Users\Admin\AppData\Local\Temp\_MEI30122\libssl-1_1.dll

MD5 e63391ae07dc3ce8b3655c7cb327a601
SHA1 e1a3a8080baf29a7a15cf253858241d352a0d5bb
SHA256 c7572cc74706cc52ecf95905a38b0dc5064014c9ef1a30b2205968d90d540688
SHA512 1300664f2bf1c31cc340724b9b28f301be35ec9052832b065f0d814eb03d9c402e5fcb6dd68a3063b2662c506ec34f359ae6aadcdaea037c5f36faf45c1ece8f

C:\Users\Admin\AppData\Local\Temp\_MEI30122\libcrypto-1_1.dll

MD5 eb8b459deae552cab848f991407123e5
SHA1 e97e400302943af2c9ac92a9e0ac8cdf0424fab3
SHA256 6209a70f556d35df256a0e2f6abf6c710b4ea427f7a713160f73bf3854d7c8aa
SHA512 853ae42f2a988351db2b81e9752c9dc0c656579ffd23862a618f223c5778179006bd5f6a7db09675574f4dc46cc7210a8b4e41390b775e2dc9f2a3a55e8cd13a

C:\Users\Admin\AppData\Local\Temp\_MEI30122\libcrypto-1_1.dll

MD5 1e756842922d3dddb939176942bcf49c
SHA1 ceca218d97dfee8415f39cff856419034b884b56
SHA256 75a44f1873f9c99568f7cdb47bd2a8fd3b9188fdb7a23d7bc1c97182dbabea50
SHA512 f85e67ec2158cd413078d8d125cf36539efc967a4acc19e4a5991a635ecd7ec5301fd2137a103495eda94d814804a92591d33e481afbf8276d790c01c8f8b9cd

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_ssl.pyd

MD5 84dea8d0acce4a707b094a3627b62eab
SHA1 d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256 dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512 fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108

C:\Users\Admin\AppData\Local\Temp\_MEI30122\select.pyd

MD5 a2ab334e18222738dcb05bf820725938
SHA1 2f75455a471f95ac814b8e4560a023034480b7b5
SHA256 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA512 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_socket.pyd

MD5 1d53841bb21acdcc8742828c3aded891
SHA1 cdf15d4815820571684c1f720d0cba24129e79c8
SHA256 ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA512 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9

C:\Users\Admin\AppData\Local\Temp\_MEI30122\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

memory/244-4705-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/244-4704-0x0000000074DC0000-0x0000000075570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30122\_ctypes.pyd

MD5 8adb1345c717e575e6614e163eb62328
SHA1 f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA256 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA512 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae

C:\Users\Admin\AppData\Local\Temp\_MEI30122\python3.dll

MD5 9779c701be8e17867d1d92d470607948
SHA1 6aae834541ccc73d1c87c9f1a12df4ac0cf9001f
SHA256 59e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf
SHA512 4e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782

C:\Users\Admin\AppData\Local\Temp\_MEI30122\VCRUNTIME140.dll

MD5 18571d6663b7d9ac95f2821c203e471f
SHA1 3c186018df04e875d6b9f83521028a21f145e3be
SHA256 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512 c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

C:\Users\Admin\AppData\Local\Temp\_MEI30122\python38.dll

MD5 f2fddcd031a67e1b7c3515354539fec6
SHA1 e587db2d127a47b590bca1e9774a43246b848177
SHA256 60dafe7cebd310c7092667aab8cbae0496f79bbf293af95fde73f67913eaf052
SHA512 895c248aff668a75addf017510e5fd1cb5512e1cf8f9a2fce62f9cb294250fef9faa61e0c5f4520d54f978baacec9f0d569ef00b566321d4b85c4d483089ef7e

C:\Users\Admin\AppData\Local\Temp\_MEI30122\python38.dll

MD5 22d34cba39c80b72b24d9bbed87b96c9
SHA1 60cd3edb14b55d64c31f67dc0f2c2db9c334d6f9
SHA256 7ab4894b018c3c6e7b7d1e56a44961342d118541b14cc9c5a5735fa9d7a8b1ec
SHA512 18e283786a401d46eda285d933e78b9798b618a8ee8ce05e5167f40d08763682d622dc7c0657478dd8d281b49fe0270dd836bbbbc9d9d3226ed0d24a23c22757

C:\Users\Admin\AppData\Local\Temp\_MEI30122\env.exe.manifest

MD5 942da41600012b292726eb8740e761f1
SHA1 351ae82b367cc4681a25d413c8918644b5a3bf01
SHA256 9753cd50d1d8586029c2d3d11e42c07418597e75299aa545b5e6cdf15053e559
SHA512 33c8d3c1ce6bc864877b23a6690cb31e36909a89b5b101b46e63827ab19e5a933bc45bb48bbb7dffda25fbc86f28ee89ff6b6904fab2e807155a5e2c160df4d3

C:\Users\Admin\AppData\Local\Temp\Bscz.exe

MD5 b727383310b1626693add5a17e15ac08
SHA1 191426e4db25269446959d966bee2e2b3c9c57f4
SHA256 6481ce2b9dedb44616f6b04ee6c270c6d69bb125c7f8d21d6e2354b9e4fa6caa
SHA512 4965878dcf9018325176bf3f0ef38202b50880519d304564f25ecaf33a766f04e27017f0f0d3c42f06c4069c50582dd5b1cad3fbd6bf7d2e5e5ebb812d043717

memory/7756-4707-0x00000000005E0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 35f204fb6a25a93fa14cc64ad329caaf
SHA1 02f457c2e815e26acfbe177ad94813faa4f818e5
SHA256 0ebafd9e929269f50562ce78275b1d17b72622628cfec24f5b1fbb47b36923f5
SHA512 7712bf2bee856c972789798696112d8790360362fed06712727b2195874695300e108037076f68f1593c209154b538b25d82e16320b51176fb1f412ba565a04a

memory/7756-4709-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/7756-4708-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/7756-4710-0x0000000006CC0000-0x0000000006CD0000-memory.dmp

F:\autorun.inf

MD5 cafa545650045f5722a53684cc176191
SHA1 a220b3c32488f94c4b119646dadf5f1d310a8509
SHA256 190e36a174f727cb4807e525f556ec7d522723540d12cb637d2e0e88e009da9f
SHA512 cd3eeddf6bf358521b98563f4086566383c08b7cdbf6b67deb211766f76b1546253cf08408e8fed156fc2a9a9391ac371cfcd2df9f6b50f3b6efa6ee7cf443e2

C:\Users\Admin\AppData\Roaming\Logs\12-20-2023

MD5 ffd207a9a3dc0fef5f3e4d81958d085f
SHA1 ec507bf503acf319d0acb770b954ed7e85cc675f
SHA256 07245e03dbb3880ee39c11249f47af001b1fd59f8e01c1fb3e6dfd13f40eb333
SHA512 c140b88cf7fbb9a1b5f5f689a14b3fc587786fa8d9bec707d4ae963e1636d4820160df2d6825c7f0dd9355ab76fb0b4fb012439051fe5114a632d8391a46ee26

C:\Users\Admin\AppData\Local\Temp\jAnv9mNGqMPu.bat

MD5 eab25ce2b10b8136df839e9473596a90
SHA1 f0938044fed9cc484722163dd57e0ccbb1ff627e
SHA256 3294f26d399f3e8ee9913827de5340ff47efc4118f530a6548761ebd6110b383
SHA512 7c991009e104d3d91b9809b0928e2add17cfb16b9742e11324e20132297a7002f0a40f60daa16176b753aea19bfd5511fd6014047c3034b2fa69fc6b90532d00

memory/7756-4723-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/7756-4722-0x00000000005E0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 eb80f14101f1b1e70999410ba29838f1
SHA1 36ef68ff0484b2f01dab2db082199a674e9e9cea
SHA256 2bf79f0ae0de5c48bcac3dad23604343a48e7d9fd1ffe34e66edb0c5e3617855
SHA512 d8720eed515f8b9949b0a707bc260f0430fd7574143c781a51ca5a8dc3174dadd41491f1a5955cff78d86ebe76db190231e196572fe07d79b85695fb89edc912

memory/8232-4725-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8232-4727-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/8232-4726-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8232-4728-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8232-4729-0x0000000007200000-0x0000000007210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jLnwyRsGjUJu.bat

MD5 3222b38abf14f5abab4c6f931d4fdbef
SHA1 c83ee22db6f54acc0cf5f83e858945264647f176
SHA256 df58b06333246906d50444b8714ab06e4d91c6bcb02a3aae75ce28730e4e4353
SHA512 aaf0213c842820f89d04caa06e612988193a729f1435021cdd53bea2c4c983775399f0ad704ecba0ffd34cfb811af66b3167f51a833b666d9a161dc1c16b97a1

memory/8232-4741-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8232-4742-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/8696-4744-0x00000000005E0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\update.exe

MD5 959f9e996dfa23be4a39e75238d51264
SHA1 5654681346088c8b625b75660d9473d49a91a09e
SHA256 4a0308af521568341e494b5ca19a353914fae635f65b26f294754b5e11715b62
SHA512 fb29965bddcae20905250349b7270ca5832c59dc9722b0bf35504e523572acf2c41189e0b3d89cf622923fe89407444a3599c196c6aa5797f4c11d598d13092a

memory/8696-4745-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8696-4747-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8696-4746-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/8696-4748-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\12-20-2023

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/8696-4758-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/8696-4759-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/5340-4760-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5340-4761-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5340-4762-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/5340-4763-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5340-4764-0x0000000006930000-0x0000000006940000-memory.dmp

memory/5340-4773-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/5340-4772-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5740-4774-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5740-4777-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5740-4776-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/5740-4778-0x0000000006710000-0x0000000006720000-memory.dmp

memory/5740-4775-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/5740-4787-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/5740-4786-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/6004-4788-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/6004-4790-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/6004-4789-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/6004-4791-0x0000000007020000-0x0000000007030000-memory.dmp

memory/6004-4799-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/6004-4800-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/6768-4801-0x00000000005E0000-0x0000000000984000-memory.dmp

memory/6768-4802-0x00000000005E0000-0x0000000000984000-memory.dmp