Analysis Overview
SHA256
ec5fa919b523ea3effb48a867b496d30a3bbf2208bc5652f812ebd0d87889ad0
Threat Level: Known bad
The file loader.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks computer location settings
Themida packer
Checks BIOS information in registry
Executes dropped EXE
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 15:29
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 15:29
Reported
2024-06-10 20:10
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1801s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
| DE | 193.161.193.99:45989 | lvke-45989.portmap.host | tcp |
Files
memory/5000-0-0x0000000000400000-0x000000000109A000-memory.dmp
memory/5000-1-0x0000000074EC6000-0x0000000074EC7000-memory.dmp
memory/5000-3-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-4-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-5-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-2-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-7-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-6-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-9-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-10-0x0000000000400000-0x000000000109A000-memory.dmp
memory/5000-11-0x0000000000400000-0x000000000109A000-memory.dmp
memory/5000-12-0x0000000005630000-0x0000000005B2E000-memory.dmp
memory/5000-13-0x0000000005BC0000-0x0000000005C52000-memory.dmp
memory/5000-14-0x0000000005610000-0x000000000561A000-memory.dmp
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
| MD5 | a7162b6eabcdb753b8ec85bda90af43c |
| SHA1 | e837aa3e994604f84c3adb4f6a10dc602e326a3e |
| SHA256 | ec5fa919b523ea3effb48a867b496d30a3bbf2208bc5652f812ebd0d87889ad0 |
| SHA512 | 3aeb0173d2169d9607a9e9e12c6ded9a2e0ab68b3c522ef287d3d5245b8c9eceec903685e30698711678664c6e002f09c224b61eaadd0cd54e1646104da8a4e4 |
memory/4248-21-0x0000000000400000-0x000000000109A000-memory.dmp
memory/5000-20-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/5000-22-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4248-23-0x0000000074DD0000-0x0000000074F92000-memory.dmp
memory/4248-25-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4248-26-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4248-27-0x00000000067A0000-0x0000000006DA6000-memory.dmp
memory/4248-28-0x0000000006EF0000-0x0000000006F40000-memory.dmp
memory/4248-29-0x00000000070D0000-0x0000000007182000-memory.dmp
memory/4248-32-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4248-33-0x0000000074DD0000-0x0000000074F92000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 15:29
Reported
2024-06-10 20:10
Platform
win10v2004-20240508-en
Max time kernel
1796s
Max time network
1799s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Executes dropped EXE
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lw6gQnFPAJEQ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gtro2nB3mQZj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqvlOKfvobpi.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KS4hk3AHJprV.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uPXN1DUXD3H7.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K2v9eSG3OnZz.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ypTJUr0aoprW.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RZNR2VU3KDCr.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYDz6YKfOclZ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U7xHQex2k9j2.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e9ts1FLK8GZl.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R5nmFYgoEocZ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ePXjLoFV9p3s.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L1wMbl9bFgfI.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v1R0lO3CIbdP.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VJ8aX8tTztNe.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WbOmmi8kqZdf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IPe7Dqr94ofv.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\urVxJ5iiXV1J.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2kQoTmYXumT8.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcSaS72EENy7.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwkWTfJjK6hf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\efFTHewDGyJe.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7uAyLRr7vA1x.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z3I2fBV6YfsN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6OluCKMfMPNM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MDTQELKSHgwA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y43Kt3UZJ8sY.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D2OaTdC4xc9y.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7opAePjdpDQB.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yLRPuJklTjhD.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Jb3WdxOfBhp.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0uIhbE7svS9m.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ElagPKrlj4Nn.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yo6kO30H2mFS.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4wVAiBHxWwnH.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gd1EdjYNlgAS.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dDvyIDGEh0JN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J5edXCp94waN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KzBpf4TZhSFV.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KthrlrILFrng.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeiLD1ab9ADp.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99I32rERwdwE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WstxVfuN5wdh.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9gzoRnJl3LS0.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuTqgZhSaFKq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Qhtftvn8pJh.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQ8Fd6PqJWvk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqC6cj8LY9Qa.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SW4tAETafTSV.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RfAkPsfldce0.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iki1636UTmGw.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkJBsMZw6Wub.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaNs15Q4ji28.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewp8NS2x6JfX.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yu2NRAMZvEss.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nu8DQtER2QzF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2f6pCXwFZWyV.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoMzYS1BPcAG.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5yGv1wZmhhIf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFG8Lbqi2Nea.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rag8TpzrdQ3.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p4DxNJ11tmsf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tc4SxzUCcCXT.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8HRzNu15AStq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6AbBkHduGRyI.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZwQCWbiQfE2.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ftCffKjAY0zH.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcSk1jjfCNoz.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2TksavGzpoy3.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GTjY8k8YNfR0.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jVeKAAPhPEEC.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gj8AqAhbdlHf.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Epx8dDwLF6O.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hpPGxACBWk0o.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41qGm2LdQ1rN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jfP7128dkL8X.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1QE9ysWrecs.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
Files
memory/3980-0-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3980-3-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-2-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-7-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-6-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-5-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-4-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-1-0x0000000075DA0000-0x0000000075DA1000-memory.dmp
memory/3980-8-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-10-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3980-11-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3980-12-0x00000000056F0000-0x0000000005C94000-memory.dmp
memory/3980-13-0x0000000005D00000-0x0000000005D92000-memory.dmp
memory/3980-14-0x0000000005DF0000-0x0000000005DFA000-memory.dmp
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
| MD5 | a7162b6eabcdb753b8ec85bda90af43c |
| SHA1 | e837aa3e994604f84c3adb4f6a10dc602e326a3e |
| SHA256 | ec5fa919b523ea3effb48a867b496d30a3bbf2208bc5652f812ebd0d87889ad0 |
| SHA512 | 3aeb0173d2169d9607a9e9e12c6ded9a2e0ab68b3c522ef287d3d5245b8c9eceec903685e30698711678664c6e002f09c224b61eaadd0cd54e1646104da8a4e4 |
memory/112-21-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3980-20-0x0000000075D80000-0x0000000075E70000-memory.dmp
memory/3980-22-0x0000000000400000-0x000000000109A000-memory.dmp
memory/112-24-0x0000000000400000-0x000000000109A000-memory.dmp
memory/112-25-0x0000000000400000-0x000000000109A000-memory.dmp
memory/112-26-0x00000000067E0000-0x0000000006DF8000-memory.dmp
memory/112-27-0x0000000006F60000-0x0000000006FB0000-memory.dmp
memory/112-28-0x0000000007150000-0x0000000007202000-memory.dmp
memory/112-35-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Lw6gQnFPAJEQ.bat
| MD5 | 47986904bf2c94df2a83f23f1587f231 |
| SHA1 | b3a765aeb5e6ad1b9a894e857579508e990abfcd |
| SHA256 | d044eb22ecd858082a97b4f1c5033d908e38e7c2b78c6ba4cc5564fe9f711a3a |
| SHA512 | c3e74f3d9c4fbf06cfd2bc6a4a30881c36586077e1812779dd5a67f002afe5446efde1ca2a2f7b1848b8936126acf49d64d9094031bf067e701f9791dc930e89 |
memory/3996-39-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\defenderx64.exe.log
| MD5 | 38b07cd5da5c740e9629fd801dc26e5a |
| SHA1 | 42816159ab9367165cf58603b09b134d488c1690 |
| SHA256 | 20049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483 |
| SHA512 | 1769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a |
memory/3996-42-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3996-43-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3996-49-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gtro2nB3mQZj.bat
| MD5 | 84362a9f988e63cae1866736ada31845 |
| SHA1 | 8dc62fc03c6cc45cf0c668cb40cc7ef1fbe53c7c |
| SHA256 | c21d5129ce3a030b5cf3f122770b6472ed042d919b5882741519bebf9f9f569c |
| SHA512 | 36518f83d97ce6381248af8e2059eaca5a6d962a6fe2919f5bc81ba3a98591ec9764e3bf2edbc4a1cb0be1ec60fd187486e585f61b7a0b80ee27b8c997b2e742 |
memory/684-53-0x0000000000400000-0x000000000109A000-memory.dmp
memory/684-55-0x0000000000400000-0x000000000109A000-memory.dmp
memory/684-56-0x0000000000400000-0x000000000109A000-memory.dmp
memory/684-62-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QqvlOKfvobpi.bat
| MD5 | 7a24ce108d227a0cae998f9b7290aa1f |
| SHA1 | ca96d97c94413502341a045ce643236e3ce011bc |
| SHA256 | ff071eaf11d61944209b0e776f8300306fb47e1075684a5bb6ce2206420c7d54 |
| SHA512 | 646027864227ca375bab5f579024b92c558302acd2d7b126bc3f3aeeb8d9a083f98382bda8ccee902d3ea91f431af94980f16ec21f07775be03f0dfcb603476b |
memory/4756-66-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4756-68-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4756-69-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4756-75-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KS4hk3AHJprV.bat
| MD5 | 3a9cc9fcd58f3e8cbd0ac407b695b1e5 |
| SHA1 | 146b170d1ab2d22c65862bec4fac517a6d943fbc |
| SHA256 | 92170e43944e4e37c98a850e1dd3ee40cc88b2393b9c3ebdd521de1eb255be22 |
| SHA512 | 840a7cae489d616273112286f1cd73719602132afe44dd43e56a66a467a0550bafbd9398e02e9a073a3563646180aacfd5b5360165dfcd77d3d3ee7b9f1a729e |
memory/228-79-0x0000000000400000-0x000000000109A000-memory.dmp
memory/228-82-0x0000000000400000-0x000000000109A000-memory.dmp
memory/228-81-0x0000000000400000-0x000000000109A000-memory.dmp
memory/228-88-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uPXN1DUXD3H7.bat
| MD5 | dd682ae21da7cf39e5e6f17e93d14be7 |
| SHA1 | 2c3dcc011ed9f788f889adfe12279727cb284657 |
| SHA256 | 1b565910045bd3ef3027018de4dd0d474e307751b79aa65ca54f5f1bd379ebec |
| SHA512 | a2d376b510400de6b397f48e7484b84699c03cb53c469817cd2086343b0b04644874c2b285a48ad054dd6b06959ee3da3f345e920e0f83b894b950ac1d1f5aaf |
memory/1572-92-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1572-94-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1572-95-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1572-101-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\K2v9eSG3OnZz.bat
| MD5 | 1e6e174061455e08b6d13ba76d3b857a |
| SHA1 | 7171abd390157dd69cc2e40864ff5ba21e4a0611 |
| SHA256 | f409c4f06dfe24947b3014c39da51044002b8947fb891af605b2c30cfa9f76c4 |
| SHA512 | 89df52c5de935ace7a86d5187a2910b47f3bf7142b62b304eb023c67a6df3c29ed86bec3ff50fdd4d5220d02aba0508a984f908436642be85471dd02d77a37c9 |
memory/4784-105-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4784-107-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4784-108-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4784-114-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ypTJUr0aoprW.bat
| MD5 | 4f99b53a32c3932104cfb5ab4170c883 |
| SHA1 | 5a2e55a0ff04e0b2830d1cb7e74470f37db4573a |
| SHA256 | 905b85a960a5f0aee6d9fc2ad76ba5d1df2bb350c2b1bb68ab10013e91b6f05c |
| SHA512 | 7d3d7e5846116d590efbe2f8402b198c1633852416b0dd26016a03ee858649f13b997f7ba82eae182ae9f010f5413cebb94305e12852b578ea2a1c67291af6dc |
memory/764-119-0x0000000000400000-0x000000000109A000-memory.dmp
memory/764-120-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RZNR2VU3KDCr.bat
| MD5 | 3d2c3787a53f8eb4a1ca9edc4fbf7abd |
| SHA1 | 928e22d7b7ab2c548b650e3c4f0654446f2a34d3 |
| SHA256 | 76390edb1e7cbda78d7650060752647a3c946f8770ae003db59eb3408a26283d |
| SHA512 | 8493e08c6100c65200c1b49c12b6d0297fe3176d8c590445bb2041ac6707ba65169ccd4d51907f3896da2dc279006d91dc2265232d63c09e665ac3aec0e1114a |
memory/1236-130-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1236-131-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CYDz6YKfOclZ.bat
| MD5 | fb54dcd11866d0d0ea43f2ec3ce3b5d5 |
| SHA1 | c3947a61994cb35685ea87bb4445cec6f9880371 |
| SHA256 | 9f1bd932f8abbab1de0e351274b92404050ec5f8d75c7b1cf790b8e194929efe |
| SHA512 | 1873c6660ff5fa3219bdb0e6cd2297a34d88fd4d84a3c26c1e1e48da219833d153bceed7b522966d7b3236282a458b9e06f69f85c82002b93e89a03f4bd5c8fc |
memory/2932-141-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2932-142-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U7xHQex2k9j2.bat
| MD5 | ceb7e7037edd614ad816a041fe1e65af |
| SHA1 | b7687e6c290299b2aa788eb5729d0b76ce6a49bf |
| SHA256 | a0a28be433188ffc40eb4873c7b4fefdbf0e8a5c38c627011babb364a793a9d0 |
| SHA512 | 339856fc8914e1c5d6055c581014dd795cad1625fae13284641a4b9cac6a644872bf376e308862d6cd410efba62e930ef9b56aecb5803597eb34b058a1bea450 |
memory/4664-152-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4664-153-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e9ts1FLK8GZl.bat
| MD5 | 8273d4639170395d5c6c3efe2d8f89ef |
| SHA1 | 754a9341275b7cc16ead0c6f809aa810ee80c9d2 |
| SHA256 | aa497c4a08d79cf6b6dfbf57b5d853a840cc3b484cf633aa308a5265e2b6d590 |
| SHA512 | a3f4cc312eb859e82db75474bdb4e7a759e7ed6c08609c8f8dd92a5c4bf5f6641bfff1dc5cd22d85022728e9a0823636c7dbc6bbcd32ed952736cc1ae8a27ef7 |
memory/4616-163-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4616-164-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R5nmFYgoEocZ.bat
| MD5 | 9f2e96fe152f9436c2605c9ef6afecdb |
| SHA1 | 2d86de268ac5356b1625fb217669ba1a5832d928 |
| SHA256 | 1fba806bbb3392a6f940f1874e186fc444e672a4d2d7e7dc85b1b73dfe796964 |
| SHA512 | e3d2c0acb6dc575a1e83c4e19eafa3d76061fd5251af92323daf4d955e371cce1cee60efe31247cf82654186b21f6d6253d066d452766a6171701cc574ee804f |
memory/4116-174-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4116-175-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ePXjLoFV9p3s.bat
| MD5 | 4a433e17a3f1d7e40587fa4c00ae71f0 |
| SHA1 | 58720569d849797b8ef79ec592ffc03523790af9 |
| SHA256 | 1911412c364c422b7292521e1f43d8830aff15ea1a1daec0b68641c2e4bd8df0 |
| SHA512 | 038495946e518c8af4ed468e53036e081b8b9c8b14fdfa41476614cc995abab5083b12765dbad9c39aa73cfbaefab781f6fec325958c06a27528d78e60311271 |
memory/3596-185-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3596-186-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\L1wMbl9bFgfI.bat
| MD5 | a521b1ef852c064754971f89a016f3da |
| SHA1 | 91b0e1991a76e0e1cbdf9717ace8848ca0c0038b |
| SHA256 | 2b5c7f3929f3e86fbba8d79334b478bb5d3c117ab90d0c5584a47367fabe6892 |
| SHA512 | 62f3e9fc415ebd3eae1d6bfc0fe241626cd0694b138d12e1c1ef906755b803bd41c4849ba86fcc91a55806066f7c78a15603c834ea9eb81d0e2b0c91141a1357 |
memory/4532-196-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4532-197-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v1R0lO3CIbdP.bat
| MD5 | 6c12ec901eb1ecd56b276dd15695f35b |
| SHA1 | 80971aea5c1789762f4e06ae64ea257614fe42d7 |
| SHA256 | d188f6cceaa5438238f880d4352305d1047608fc68165c50f7d610fe1dca35de |
| SHA512 | c2dbcb9231606b1c1e8ede42c6f3be7469ce6c8413ae211a8ae326ae4527461204300c9d2050d47239fba5816f68803c5b94f599e27260bda2175ef01e918ebe |
memory/1316-207-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1316-208-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VJ8aX8tTztNe.bat
| MD5 | 0b4f8a9ebf16471fa2db77e8241db20f |
| SHA1 | 49117a4b93a8df62c7f6b415c1641b621d4c6372 |
| SHA256 | e9c0544d719e220e89bd26ab6c68c05a4f6d32fd67fe11f6e323b4a80c77a2c4 |
| SHA512 | 6dfcd4447311395c3debd17d3c9d6fd657974112eeb1d2cb400b95a19518d623127cc301d12d78f21036bb8f8ff955c8800cee25e9ffc0bd2772cb883a71868b |
memory/4816-218-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4816-219-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WbOmmi8kqZdf.bat
| MD5 | 1bdffc4a3fe5a61a19057ed346d6785d |
| SHA1 | 7802acf5973d7bb3d6685a12d90bbee3ca5e3eed |
| SHA256 | bf0131604468e2015920786a2fdc2adb397e90168c7c495243591db8b7f49d3f |
| SHA512 | c78d68384753cab0d74242a9765e33ad6da7b02bc10917966a7152684f03f5ca7dcba3e6c133791b71f592175c0194e365e6bd369114c4e4e43308111a6854e3 |
memory/628-229-0x0000000000400000-0x000000000109A000-memory.dmp
memory/628-230-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IPe7Dqr94ofv.bat
| MD5 | 62f3289faade7318109024f92458c410 |
| SHA1 | aa9d840828ec0d9bd45c58a7acdf72c8bed790b9 |
| SHA256 | 282d0a3e1b3debf0988ee44ad9e7f981b922e0b83c78041273afb048bd90bdb7 |
| SHA512 | 608a1cb2edcb191f1bbb83aefe54ea1ee72f9a5498cb6f53f5d274089e4b12c4851a9bd843a1937202952ffaeb76376dbf2470a8ee012f92788820aeb0b8ac45 |
memory/2608-240-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2608-241-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\urVxJ5iiXV1J.bat
| MD5 | 1cf857dd7eac343cb7eea5411cb94e0d |
| SHA1 | 5e445257046805602764c89dcfc9dc706a80227b |
| SHA256 | 026422e960aac5f6d7d76ee3f60198f917dc83d250c222fd1f6acab92a1d4a27 |
| SHA512 | cd4754facc72e3022495fbea0a4d695fda3044cb38c0a8a1ee97eefd4b41760c959b9bfc1eb56fff743969157956fcde9177f5c7c60040c1c32ce67e4a6fd21f |
memory/2284-251-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2284-252-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2kQoTmYXumT8.bat
| MD5 | ae26844fb129fe687fff2b451940ed5d |
| SHA1 | 15ff8a479f82ce93d8e44493f4a275a9fa3f96df |
| SHA256 | 8e040aeed900c13b41d242b924d208b750c2852b162419e2cdec2afd65272111 |
| SHA512 | b58376d5a825917bd2a94cf438ef28b26f7363e15569be8a9e3721aae248bc32d74a21b478366913220fe07b05f1477167c4a73f05e1aabb51cbe681a142492e |
memory/3308-262-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3308-263-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rcSaS72EENy7.bat
| MD5 | 0bbfd0de8b9ca15109f41cdf8cff1d00 |
| SHA1 | 5d64f653d9aa13f4d965d26b65eca516ad7a6675 |
| SHA256 | 309a2bf8f2e4a9c1caf6628dbed24c9c2c4ee45c00bbf8f5f6ee2ca9db6a5dd7 |
| SHA512 | 75ca9f9049731656fe6b5fa1a9b2a1c0f3d824246085af62a70effe26ba6e8a1caf2769977d8f45ac4c36b3688c7d25bd650bab838059c439b774691a64dcf39 |
memory/2500-273-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2500-274-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cwkWTfJjK6hf.bat
| MD5 | 276b69b16b2ccbbe7a9eb5d088bb4606 |
| SHA1 | 3c348b4e626b687a309fb6f041bd09fc0edd4730 |
| SHA256 | a9dfa0c4e1d8bac082aa5699f56815c1738dd3b17d0c337619efd28be371314a |
| SHA512 | 707975e4c044e49af99719ec6f8025cc17db3df1d54ec75eeb98cf2c73df9f480fac475c37f6dac33ca2f40d8be5708710c52ef7b0c7fc85fa6530f5443ea0cd |
memory/2188-284-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2188-285-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\efFTHewDGyJe.bat
| MD5 | ecf27b23097857c72620fd8d9c0645f2 |
| SHA1 | d4f7b2064338acfd24e07f438b0d6a463ad8b468 |
| SHA256 | f62dbe2dcc914061255680b62edc7d18eb0b7d481704f53792840b746a1a9562 |
| SHA512 | c40956c69fe7bcb418b45d4c83ab63e7082ae5ba4f2c010f2a8e53c9a9715c6400772c48aa234c9ddeb6305798f8b75e4147993e2e26388a37c7c624de7d9fb1 |
memory/2640-295-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2640-296-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7uAyLRr7vA1x.bat
| MD5 | 73d569a28b6c9996e58c981004e55edd |
| SHA1 | ca854927ef7ac2111b7406d0787af8cdb0d88047 |
| SHA256 | bc2d8a49709cc94e7234bc8599e8763ff96bad087a34d943ddafd09bf0debebe |
| SHA512 | e31569b5bad8547c94cbd21f74c945f906f29e292f8c6a11da87090c1f719d3b4e541e4ec3ae51d644f8df683ae13ca8f5abe1d6274f16e3749ec381cca15830 |
memory/2952-306-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2952-307-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z3I2fBV6YfsN.bat
| MD5 | 3ebf2b0c6829354232985fe58d507af9 |
| SHA1 | cfead9ab895f02bf4ccd2b7b2819b1313789c1b9 |
| SHA256 | 31c1ff77b59d649dd5f8fc9dbb00bdb94d367ed7cc729a73cb3f275a69b30fac |
| SHA512 | 344d006ff9eb41956683b773fd4a2bca2c65be31358a72707e743ec6b5079782f003a07cd8a9d60ff8401a0d947768227a9152de45370d7b98b4da1fd0ca920e |
memory/2432-317-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2432-318-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6OluCKMfMPNM.bat
| MD5 | 4a479aadf405c57e582076afe6c3e3b7 |
| SHA1 | 2abf8f5cf7f79c6001f8fb8ee1b187755c5b9e15 |
| SHA256 | 562671646209c1bff7e2e33583152dd06367c7d5d48e7327159ed40a091d5e0c |
| SHA512 | e570783478a4d96b770ccf871db5f4915f6f1f987dadafca25f529d7669de45827b31b5fd62fec7d84edf25ccc143d6e246b5796d4ad08eb5a5da4ebc04710f7 |
memory/1456-328-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1456-329-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MDTQELKSHgwA.bat
| MD5 | 8448c2fac48bb81a46ef82c95ab8e7db |
| SHA1 | a5728e638f7cf0a60dc240113281ce9b072015c5 |
| SHA256 | bcaae0f36ac206c0ecc63a20cee775d7817314ba9b27d3eaa022ca77b1c7a34c |
| SHA512 | bc8d11d233d035128232cd3a9899ccd809d10b35c2cdcfdbaad6f214410e09eb7e35809bb6740ff6b3ec3d7ee0397d6bb86a531c598204cb9e07495b426d5d08 |
memory/2516-339-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2516-340-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Y43Kt3UZJ8sY.bat
| MD5 | efcd2e32b80ead2a0cbd0401063aa20c |
| SHA1 | 02d51612a3a929455f3d54c2e5e4afb1c1731329 |
| SHA256 | bc89b51d33e2e8426a793685612afba5f5e7d111bb32565ce4cbf46c79309194 |
| SHA512 | 1d59f17448ed8299f3c2f03a1179b0626a5745af711c20e17e8a38f9925ec63e5059911e4cf9ccb4840b9e58b97d159c137e21728cf4b34416cd8d7df67b5446 |
memory/4920-350-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4920-351-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D2OaTdC4xc9y.bat
| MD5 | 014a8af59d75a23270a87c0e292bf0fe |
| SHA1 | eb111d7f70926bdbf78c292882c584d9da2fecf7 |
| SHA256 | 52f6bc17a6300bc0aee01d3c2fed68e0b4bf60b323570e26d9a1316a807ed83d |
| SHA512 | beee0eedb2e2bd1b362f50f32e122c573b5186d09da28d842f8b03fbbba4f3cf8414cc3ac019b11cda6ea8d80bf83df9dc3e51417943473cae6213af48ee9ace |
memory/3748-361-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3748-362-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7opAePjdpDQB.bat
| MD5 | 641bef6795076ebfbf23332f38ae642f |
| SHA1 | bf368ffbeeeb6fbd8649ee83b48873c9307390e9 |
| SHA256 | b80a95743f7e0baf18ab367552568ca13cfef000dc1f85a25958570f44dd6711 |
| SHA512 | 7e5877666a6d29f0f219d4f55c61077dc92d3fc655e81bd461e161c1190bbe98273e7e15ca4fa10e012453f1c9b65f0c404dc70363403673af8bba0c4f132872 |
memory/8-372-0x0000000000400000-0x000000000109A000-memory.dmp
memory/8-373-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yLRPuJklTjhD.bat
| MD5 | 321e597b52254e76f0d6510a28730689 |
| SHA1 | f1e4072080faffc2f48c1a00d567dc36147fe8d9 |
| SHA256 | 567285d4c191ccd7775a8b051a8e847d423f897c47779807d34d619021e016dd |
| SHA512 | d5df627e2b3b7082d7e8133b20fe1d2090d775918e262bb0430e3a3a42fe526d9c5e253662ac111412805384d14091486c7a9d5f47e97b13d8bad071246349a9 |
memory/3616-383-0x0000000000400000-0x000000000109A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 15:29
Reported
2024-06-10 20:11
Platform
win11-20240508-en
Max time kernel
1792s
Max time network
1792s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Executes dropped EXE
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\en\defenderx64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5TeaVvWtXqBb.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Q5INHhlDVX2.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BFYxr9FIXOtl.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmNeGIhaiBXY.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQOAH4oTbg7h.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3pQ4v0CreaSg.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9UMy4L2WRT1G.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ptpt05k1zS5J.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i3wxtkeGBhMz.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocnuh5ds0TeG.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yl4tQvJQdIA1.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\up2rFHnwyoEq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1p7l9I9hxpxl.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o6h07xL4tJkR.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tNuZQvLGpFvE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m0aU4krCSsDd.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWDpWVdzPxCF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WB9Gf8CXchFT.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z3nTLowfSygB.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Phkkqnqmew96.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1jDiZxAAeoNN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\phkYIrJs1vha.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vXTWDI94FV36.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKT0s5imb83a.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tg5Ql46nqGCF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vVclqy4w8QNE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1C5f0UZhPf8G.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKudNP3J2ewP.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRfXRT8VhMzW.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0cFoAX79qZgH.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T1RFBqRjakCk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHPRhK2JYKkI.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBWyMzKTpLUG.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoECx9bXj2Gc.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYlEWgOcuE8J.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7ciaVhnG73p.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XT0crCfy2R8U.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\im0pIxw5EFvF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ETLihPDM0eGa.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GubQZ7XJb8er.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HdZIbBDUyP5c.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyH6EKMdhNRy.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TfSkFckgnjld.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JY5iKXQnDS3l.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFulCWTVOjeN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWujgPdB4X5q.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vXyqIi0C6gre.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u4Vdm2vyACKM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gry3pYbVxHwX.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKPhSGuVjCjh.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o23dV5piAOe8.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VavsueTjshF7.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJodw2psDER2.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGCX0fOZ6NlE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24DCIpWDpoJL.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiHpMNnExeAd.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgXMD77bJeZo.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DhTWvbYdDb6m.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWI2YgeEj5hi.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWqgsmEJRKCk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nBFiJOnqtFuM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uRHuyUb3cN5n.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpWzo5YtJtSb.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O0z2FIaBcVOw.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XTiBU1qsM3VE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t9DWL7kyEbyc.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6XFnuqu3Ge4K.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VBUleyO2KdPn.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NnRaBPBUGpZb.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kxhZ1oJtcuHm.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HrHfapuH9HhD.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SJyllRddbpPA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAKUAcxIjgsU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSUrAuhGoPCZ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VlyL5QGIi29Q.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4NMb7dAbQtj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O0fjTgFWP9h1.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uLGfjzR3C2aq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
| US | 8.8.8.8:53 | lvke-45989.portmap.host | udp |
Files
memory/1736-0-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1736-1-0x0000000075706000-0x0000000075707000-memory.dmp
memory/1736-2-0x00000000756F0000-0x00000000757E0000-memory.dmp
memory/1736-3-0x00000000756F0000-0x00000000757E0000-memory.dmp
memory/1736-5-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1736-6-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1736-7-0x00000000058A0000-0x0000000005E46000-memory.dmp
memory/1736-8-0x0000000005E50000-0x0000000005EE2000-memory.dmp
memory/1736-9-0x0000000005850000-0x000000000585A000-memory.dmp
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
| MD5 | a7162b6eabcdb753b8ec85bda90af43c |
| SHA1 | e837aa3e994604f84c3adb4f6a10dc602e326a3e |
| SHA256 | ec5fa919b523ea3effb48a867b496d30a3bbf2208bc5652f812ebd0d87889ad0 |
| SHA512 | 3aeb0173d2169d9607a9e9e12c6ded9a2e0ab68b3c522ef287d3d5245b8c9eceec903685e30698711678664c6e002f09c224b61eaadd0cd54e1646104da8a4e4 |
memory/3144-15-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1736-16-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1736-17-0x00000000756F0000-0x00000000757E0000-memory.dmp
memory/3144-19-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3144-20-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3144-21-0x00000000068A0000-0x0000000006EB8000-memory.dmp
memory/3144-22-0x0000000007020000-0x0000000007070000-memory.dmp
memory/3144-23-0x0000000007210000-0x00000000072C2000-memory.dmp
memory/3144-30-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5TeaVvWtXqBb.bat
| MD5 | bccbb64ae9c0a93caa56cdbf40ba5b79 |
| SHA1 | 95bb8309252d4d8f01882cdca54aa85d3ec8d442 |
| SHA256 | 1810399114fc2b49414af4554d4998518b44a213ab23cca057e7d1babc98cf7b |
| SHA512 | 2ba68be712ba23b441bb1776806b7043fd328e26f0c69a8da0fd87834726c631d95612edd4308b4a4a4d84ce022a7c3dd01f7594de29ad0a516ce2fa65efc7ee |
memory/2848-34-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\defenderx64.exe.log
| MD5 | 64a482dd55168388131083f3a7926064 |
| SHA1 | dcadac6101735b4bbe54ea719808f0c5127ff9d1 |
| SHA256 | 034c9338b4fc7e195c8195915c47a880acdc1aae5b1858de250bc726acd5dc79 |
| SHA512 | 03f2f56b9ded00daee2483083abf87bf05002c835d59f00e1f95cda843c142111c8461982838d34a4c951d89533a50ca9eeddcd31ad28a61487cd9c82be10b93 |
memory/2848-37-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2848-38-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2848-44-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9Q5INHhlDVX2.bat
| MD5 | 6feec19c19a54c5a47d1959e80fbb0f0 |
| SHA1 | 1b5ec5ac82bdafad53b90ba2f3a3b54b15ea1309 |
| SHA256 | 3f39a4a0d889099f78c7e4213bcb1ae2337e624cb8068988310c69a0f02c2bc1 |
| SHA512 | cfaf8afd86b583c1d624124c8f15564a5ca83f43df43baa9f9917a015e11ad75013d3614facf633514a863d04d9dffae9976b8f4fe5169b7ba588dc84f06ba0a |
memory/4976-48-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4976-50-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4976-51-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4976-57-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFYxr9FIXOtl.bat
| MD5 | 2ec1578dd09ba2635ca948483b19643c |
| SHA1 | f04f6543f724e96ccdca6a99f0db2d96e686e876 |
| SHA256 | a206f8a3aa25d4aa2bbaa55072bfbeb42f27caeb814ad95ddc6ab7d5675041d9 |
| SHA512 | a5fda53d4530003ce31f803582c0b84142497dd6f98ea36e4a4e16dcec37ff259906f9864c2b8b8836cd43c1cac452be6eff21a5bc0470c30271d4b4a261f559 |
memory/3292-61-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3292-63-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3292-64-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3292-70-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RmNeGIhaiBXY.bat
| MD5 | 9e297958b05b737250579a625b5662eb |
| SHA1 | 1f607c4aa2b6f99f42dc6fae6e90aeffc3ce0fdb |
| SHA256 | 6d895474d7574547f7f044be30c81b0822d69ce31ecc682abebc6f1f40c46df1 |
| SHA512 | 1df036f1bda7eb585c86c8e8dfe77006513c9d366a9d43bde5626759ba5c9a21b5201cfab6eb4c7f01f74d58a1232202ca2684278d75a8facefff1718b3fd217 |
memory/3592-74-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3592-77-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3592-76-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3592-83-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FQOAH4oTbg7h.bat
| MD5 | 7cd60caae1571c7b14cc00aad21eef56 |
| SHA1 | ca24c7ab74358b493a4c48a47f18818fc0de0655 |
| SHA256 | 172ffd8d003a7fc22c3f9def7dca5903d6aa393e59a89195733731fa33c2fd70 |
| SHA512 | d55d39feeaef5a4912c652e157382efaeaaf3f13ebd6b3d872cb45b9caa826f886622bb8c46f81195f3352fd4a0d92d138340bfb28830161864a78a642a0b807 |
memory/4732-87-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4732-89-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4732-90-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4732-96-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3pQ4v0CreaSg.bat
| MD5 | d0fde535ba67952e6d9df39ede2a40af |
| SHA1 | d637fbe055c1d9f8e04401ca88392bffa8a5abf5 |
| SHA256 | bdb2bb710b9aac4b1c1da8b8a6f76ad70d341e62feafff3083b5f5b55f27e919 |
| SHA512 | e895846f70fe3fe0e2906923c22600464dffaf455ca59c18d98d11d3963ebe528f62fff2762ce4982c3fbd8c45d558fd1cfeb016edfe7b100c721a319c9f6888 |
memory/3504-100-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3504-102-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3504-103-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3504-109-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9UMy4L2WRT1G.bat
| MD5 | 4154cd2eb2191b78ea618f45cf1b1e6f |
| SHA1 | a73189da9a0f90b779c4a102d4e693f03277cd48 |
| SHA256 | b8bd5d56e438deb021c31e812fe2ef10dc574e158226ddc3ac450da0ec755c84 |
| SHA512 | 69f19f4b1ea823c3fc3f9213ead085fbe8bdde36102c05b6fe8b0053d27eaa5c6ec8c8ccf7e5f941947af057f3f3a7d7d8c77e511ab5f75f95304c552512ec36 |
memory/3564-114-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3564-115-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ptpt05k1zS5J.bat
| MD5 | c3c47a3a33b68de9afa57b7323e9b149 |
| SHA1 | 12acf8e1be3cc6a8b8bc8b28921f7f90bb477936 |
| SHA256 | de69fecf9914664f902f6e7bdf41f224a3f1cd09f36c05ee255985974a8cdd4f |
| SHA512 | 4ed68ae17a03aaf637098e439694e4fde33c1b0c201d8407e2a275b31d4ac95f92821d32f3e3a378c4ad65246203903e81b5bf0d95fefcdefcac0a3374a2db32 |
memory/4496-125-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4496-126-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i3wxtkeGBhMz.bat
| MD5 | f14794e935024c9ff44571bec19f2e83 |
| SHA1 | 1038f3cef6229a93c6c5b93bf382919295d40b18 |
| SHA256 | 3bae09e5e525284ed2896504060d1712953fb737f9747cd4b91ebe81d92a3b97 |
| SHA512 | c94bcfbef459ccaef22c4a657f63ab5a7c9c59c4264e4e56402a42b65b2921f3070ccca3f6f26acc1a5514ce65f4a7194e0d03bd11f95c4a1b3171b96acde4e7 |
memory/5100-136-0x0000000000400000-0x000000000109A000-memory.dmp
memory/5100-137-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ocnuh5ds0TeG.bat
| MD5 | f8f561c4e05d4b1dff54aa619acaa6a6 |
| SHA1 | f80e41d360382335983ce5d2e7ffde1d6695e40e |
| SHA256 | caa8b51f427e7f3822bca12bfde310decb61d0e645dee7b97016df7ab7b0cdc4 |
| SHA512 | 96a12ce0d144295dad88b36cf06d645ab9e40081b658487f5a803e1fc5317106d2e0cbe450630578aaa99ef1c4a93967bedf4b74836b099569c6a7bef1877202 |
memory/4780-147-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4780-148-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yl4tQvJQdIA1.bat
| MD5 | 40229680f8b251fdffaa1c600f1a00a6 |
| SHA1 | 2e86fd54e3571b5f50eecb6bf86c71a44dcb7d7d |
| SHA256 | 8c243ce2dedcf99b6f9677701ead3674565c335b56b1bd80525fe173b0613f60 |
| SHA512 | 3ab0a68015887263a8152ff361337418e45d5848d533030d2d01119abad819ee79c9a9a4e0c2e09b3a1522f2e579bc0ca8eb9465d6d8970a5662bfa06887cd1e |
memory/1736-158-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1736-159-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\up2rFHnwyoEq.bat
| MD5 | 7a868b19aa83e02bfd7984f45ce19e74 |
| SHA1 | 9f3a6bde2daf3ba8a3dc553766de816b5653be93 |
| SHA256 | 2983059e8429d3211af85cf964a198b4565068b1dd485e4557c06c82f3c87057 |
| SHA512 | 6737f77dbc6c8212be63e7ba147fb45906b662e9e84c26d8c915acf51375352465910222f3855dba3f6aa878f742cbc455e586e168f185b8a0994201d7101fdc |
memory/1780-169-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1780-170-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1p7l9I9hxpxl.bat
| MD5 | a48fae72d20fe27d042c6a0bd3da7ac3 |
| SHA1 | fbd85e286e1a4975608586a184626d332c752b1f |
| SHA256 | a37f37d9b0900dffccb37b33844e672bfb6110e12d2c156c81865dca1478f06e |
| SHA512 | 77db6d5cb0983fd1593f253605565846c8b2b8db7510237cf3b89f520923060ebc2bef6ae930ed206f711947e986e43ed0403cefb595b4fd99dd1d55a269f569 |
memory/3616-180-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3616-181-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o6h07xL4tJkR.bat
| MD5 | e69bc10d5ad356ba8037b436c53d3667 |
| SHA1 | d6e1dec3d8d7bc9a63aaf0807e26b0300b2cbd85 |
| SHA256 | ba87817556ce850d98892cb3c2d1c27affa18ad5d0b7478bbbd97e0e15cc4ec1 |
| SHA512 | 0d6c6c5cb6ef922b3f28da79f4a62a428f1c7fca61a6ea73eabcc3c793625b88d07f57f346a2a0fdfa4ecde8f05cb6291f710718183d5d49245423d170bc0f88 |
memory/3100-191-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3100-192-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tNuZQvLGpFvE.bat
| MD5 | 4881c91b533fa3ebeb2f27e60e8c4846 |
| SHA1 | e0c880f616bb9db89291d7816f2a0a24620fa235 |
| SHA256 | a095a2b4e912fbee8ce1f666af9529e0dfa4008ee2991eb92cd7378c86ed160d |
| SHA512 | 7ba74349bf6c630bbd137a078d86bc49d5f344c29e3d408c0ef7f5b285d6d1c5bbba89e2df51be72037454802988523c3827a6a7cea245e1456203239d9c02d2 |
memory/4128-202-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4128-203-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m0aU4krCSsDd.bat
| MD5 | d6b47f409a2a84475f790024bbdfecfd |
| SHA1 | 5d06e7d044f63da7a2ff60adff3bc548280ae9db |
| SHA256 | 536fb1cc3052e63e845d94b9fa1754962135fbaf44a81304fd829c2b90dd79c7 |
| SHA512 | 197631a854ffdcc8e9cf95e8d6db95a47efe87f4085d80a4708eebc043c53e85b183fadd75fa9293f88fa0fb75b71bd5a444aba2313abf81278a518e973cd291 |
memory/2912-213-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2912-214-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bWDpWVdzPxCF.bat
| MD5 | 7246d67d7e360f70810e45443ba92219 |
| SHA1 | 3f412ca48ae91753acc84031ac788bee932698ef |
| SHA256 | 5d77e3823faa45258e77acb7e4415e5f3b8691b4c268f06f13a88800d450b7d9 |
| SHA512 | 15bfbb65b9dbe819b660b5ba03c090464f4ac9bbe897fa1cc35496eb45c4c870f9c6502b057985061b6ab4db8be84f779034d67bda3e393dd73d0609b01060d5 |
memory/3148-224-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3148-225-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WB9Gf8CXchFT.bat
| MD5 | b9918bb92c5a83f84acd2ee6aa747451 |
| SHA1 | 028beb9e9dd07ff31fc456fc7d1435bd403741ef |
| SHA256 | ed506a8561e927f2481a008313759e4f3551ac924df9f65701e6d840ca1855f5 |
| SHA512 | 2c1fbf90ad865513778a4212610f4466653cc1d118033a7120fab2c350c943eaf9b5ad452aa7a9710043d34c632e71bb53112223edb5cf34a397b91b8c017752 |
memory/1296-235-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1296-236-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z3nTLowfSygB.bat
| MD5 | e90468893cb1e3f8875345bb6a248b30 |
| SHA1 | 9f07b2c0dd70c61c182921051049e89a41b2363a |
| SHA256 | 7af6846b34d486a1d2dcefefe8046628edbe319eed1c9d18f7b7bce948b8c66b |
| SHA512 | a439f7be2d24c749533192cc7bf7fd76e2a981bfd321199c4962a62138bc8d8e0a0a31cd22baf18285ae7662604ad87f39383143ba0a2b1986d732f0f6155e35 |
memory/4908-246-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4908-247-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Phkkqnqmew96.bat
| MD5 | 78bd090d1cc43dc412f48b5699339bf0 |
| SHA1 | df27b98264a238ed4ffd3489d5d81181a2fe0eea |
| SHA256 | 0e3800430623c6983531f523c611ff9522da99e88e8acbf61bd2d3bdb1a70756 |
| SHA512 | 740fb26ed86548ac9dc45aebf042f7817485dc0f745c43136d059505647a81485bfd748a37922493fdf6879f37cffccf9158cc5d7a7ad841d8aeb163e91689be |
memory/576-257-0x0000000000400000-0x000000000109A000-memory.dmp
memory/576-258-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1jDiZxAAeoNN.bat
| MD5 | 129158fbda9a103b79e44052c59a23dd |
| SHA1 | f3dd8ce3aa9568fe433cafadd652675580d6533d |
| SHA256 | f84fe6c5151a215cbbfa02e98890073bd214245f892cb2b658cc6c5e2c95ab14 |
| SHA512 | d804551bc50dfd4dc320b219446cdd7541cf9a2625f6c0a980e5cbbe885ddfe87238ed8c6c8925900e9c874900e107dac2fc871169c25cf75753eeb8fa73f316 |
memory/1056-268-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1056-269-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\phkYIrJs1vha.bat
| MD5 | 585dbb7468d65f3870a5b6b52518415a |
| SHA1 | 327b605751acae5607abca7c667d8f28babbff0e |
| SHA256 | 8d2826fe0c1425659052821a6a671c03f455590c398b881960d5f45cd2068273 |
| SHA512 | 786de055e6f2c5318653193bacb5babebc690666cbd0ef9bbe8c27936af65efc1fa87bcff83c3358525ff5dbb0cb311ccd5996e74cce927e2f02d86646b475f2 |
memory/644-279-0x0000000000400000-0x000000000109A000-memory.dmp
memory/644-280-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vXTWDI94FV36.bat
| MD5 | 6733a7efa6e66eee32da56d05d8f5351 |
| SHA1 | dfca0bc8feaf7918f29ef27ab614477a4d096c14 |
| SHA256 | a54fa17942fd83c172b056e983167d23f80be2d530284bdc094a753e352def5e |
| SHA512 | c43ba0bfd68a72b9703c9e47dc2cabd87c7ccbacbda95dc9d0862c82846e2a01a85971942ed508584c50b05a6de9f66e50611dd567310ee47b31932df1808a6c |
memory/2692-290-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2692-291-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fKT0s5imb83a.bat
| MD5 | 3c9341ee2161e589bd014d9043ca06c9 |
| SHA1 | 3411366332413b72298724bc87f1da3e09a05a72 |
| SHA256 | a644f81b75f2d75b4ebb735acc3a23913f2d1a187471bf0c28fae7814388985c |
| SHA512 | 0a5974f197c99a3f633d3c7d21fd692c261bfd2c33984a89754959db60fa22c95c40c2d5e1dee2642f7b105844729940dabcf414d1ce95f833d72fdb322fd514 |
memory/2184-301-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2184-302-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tg5Ql46nqGCF.bat
| MD5 | 86f9c1023be39d219ed6b52ec3217249 |
| SHA1 | 4edfe1d575d9dda863d49b228a97126ff553053a |
| SHA256 | 455ea06b9456a834831b3a76a4380d6ecbee6365bb8fdb590aaf3a3b9b654ea7 |
| SHA512 | 18305a9f32bf9dbec43de2301e466c934e71fdbfebb0429d979618f04dfbd0a466043b556763a4a36af5a5e4a5f9e9f6ce6bc7e83bbf4a3f6f59406c9098231c |
memory/4784-312-0x0000000000400000-0x000000000109A000-memory.dmp
memory/4784-313-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vVclqy4w8QNE.bat
| MD5 | 29863b25855f6a5188de039995b15725 |
| SHA1 | 32f993a8c00f9f5c98977e43f0eaaf12ba0010ed |
| SHA256 | 650817c81aa9b83881d8d3e24b6ff3e27870b2965dbff852fbd0cff44c790ff3 |
| SHA512 | fd0a96ff326ca52401e9b46217fac3a239f5d9b05073551e690df0acfa2374999f3947ae2560a80b99b4986491daa157187f111d6a130bb6e427a054bcc0ab94 |
memory/3764-323-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3764-324-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C5f0UZhPf8G.bat
| MD5 | 5daee772ac0cd40123ccd0170d734200 |
| SHA1 | 1859ef3ed728fa1309de375875d2882adabc0948 |
| SHA256 | 8b361861e2c7f3da76f7c87cf6d4f4934c3a790624d7bd30d949e0b0d2297760 |
| SHA512 | 37d93faf032819334143a3707731b03937504740f75186a6872dab40b3db550bb865363c47b2f16ae25e6afbae58518d8298f4026a6df8a225c31105def24a9e |
memory/3684-334-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3684-335-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UKudNP3J2ewP.bat
| MD5 | a4a21b8c856836848fff6d890bf32ae9 |
| SHA1 | 70863b9a8a114f208af58da7df2dec53d0b67a8c |
| SHA256 | 3ee85940dc72eb83ac652febe6f23c5f59126849108cb29d86c407ff22dce94c |
| SHA512 | 34de41c96e07ee0e54b21a32da7c5a17508fdd62f415a64778f684126b6783036d069a2b5a76fe53e04db38ad091b05d2caad6c2b7e7943251c908801b2fe107 |
memory/3908-345-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3908-346-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SRfXRT8VhMzW.bat
| MD5 | d04875f0ec9c076d4fdeba001c3f8e00 |
| SHA1 | 23a076bb84af1dbd6240fb83fa102abf51b83aff |
| SHA256 | 74608cd1595914d00f1035e928362d5382efa0ad5c93ab5716b12a95c087c9fe |
| SHA512 | 3f9e844a94318cb8f8f0d46ea9b6addefe65be51fce13fe3bc4cd56694a863d44a590c8e01996d21614d7dff852f0e38134ca15e7779b2f87649c679a72024b7 |
memory/2872-356-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2872-357-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0cFoAX79qZgH.bat
| MD5 | bbe45ef3586afe0371c249eef6227324 |
| SHA1 | 82300f2c64071de37871dc764c58987b3254eb59 |
| SHA256 | a4101311f7b7ba12cd5d994ae8fb63c34c36635b03221f7d697a4ca581fcb062 |
| SHA512 | 878e19b9100a56043b7c81b2bd2c13e10ee77947b1f4c6fef27a977aac876f1bb43f7c9e89ccddfd99dc0eb684141a2925834af77e946fd0de792e696e837fee |
memory/3896-367-0x0000000000400000-0x000000000109A000-memory.dmp
memory/3896-368-0x0000000000400000-0x000000000109A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T1RFBqRjakCk.bat
| MD5 | 5a9a1b261c0de64e714c91a99f08a1b0 |
| SHA1 | 49c2042705ddff95a602283b4c9b6b013c547ad6 |
| SHA256 | ba04d1af757fa9f3ebe10c3d7b092bc97cf92bd4a528aef3afb9fc98fdf10558 |
| SHA512 | 6438ed71c7c565a6e6aba209d91e4cd74166e35ac3a78000c8f37a27c9146c1fc25abd4efe647145ed9de549e76e1ec6fd6f68b35f03d9e6160c87ae0a9bb085 |
memory/2172-378-0x0000000000400000-0x000000000109A000-memory.dmp
memory/2172-379-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1220-387-0x0000000000400000-0x000000000109A000-memory.dmp
memory/1220-388-0x0000000000400000-0x000000000109A000-memory.dmp
memory/464-396-0x0000000000400000-0x000000000109A000-memory.dmp
memory/464-397-0x0000000000400000-0x000000000109A000-memory.dmp