Analysis Overview
SHA256
7915d96fd92766003b73b58c3e9b375487479b9b582ed3be8a88bf5fed8a8208
Threat Level: Known bad
The file Lypha-Builder.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Runs ping.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 16:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 16:17
Reported
2024-06-15 16:20
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIGNObGae6iv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeW58JcGe6BY.bat" "
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n5GB6O33sknp.bat" "
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\51IZHGMBDLxx.bat" "
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcI1BpvbzmJU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aO6qbqOaxawj.bat" "
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FdiB9P3X49or.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6S6NXqGuQXHy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fhdehw6vI6xr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G9nUYsq8YZb4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mtjQGD3xPATe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsGRTk5jVA7m.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0rImd7GT25nw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fNyW9AUPA9QZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aV7drPZapwRi.bat" "
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fK3rpUUItVZt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zHOzCozhReER.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xRd6nQctwjU1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEQXw8RRm9yI.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMzO9mgXUyDG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wtf415HuDUAJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v4Knujc5q3kp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBsHq93w9Kc2.bat" "
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWTgd1puwKT2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkXKc22LSlO3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | team-circles.gl.at.ply.gg | udp |
Files
memory/3056-0-0x0000000000060000-0x00000000001BE000-memory.dmp
memory/3056-1-0x00007FFBF0A03000-0x00007FFBF0A05000-memory.dmp
memory/3056-2-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
| MD5 | 0296021acfb4f37e63df4de7461ebfd9 |
| SHA1 | 14117dba6ce87cbb6561ebdfffec60cb21860800 |
| SHA256 | 4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a |
| SHA512 | ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee |
memory/3224-12-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
memory/3056-18-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
memory/4516-17-0x0000000000140000-0x0000000000464000-memory.dmp
memory/4516-16-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
memory/3224-19-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lypha-Builder.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/3224-22-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/4516-32-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp
memory/2708-44-0x000000001C0C0000-0x000000001C110000-memory.dmp
memory/2708-45-0x000000001C1D0000-0x000000001C282000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cIGNObGae6iv.bat
| MD5 | b61e628c7a5f32240e0490782c1a6e02 |
| SHA1 | 2b82c68f1eaf7cf8c5a1cfb6e2b87a618d965ce8 |
| SHA256 | ecc6b37e03ea86e5623487645feb3afe36789d2682ff77639f40671f3bd80c2f |
| SHA512 | 2bb64c9b0b735ca17aaecda0488fd42a724bb767e76ad234870e94275e6a5148d6e2b70e23012929ee64025b2bb94dbd860d754da99c38d6b8caa7b92ebc9121 |
C:\Users\Admin\AppData\Local\Temp\IeW58JcGe6BY.bat
| MD5 | 6a91741a6a256fe14f774fb9228fa98d |
| SHA1 | 58b77f1537228388c5c91fef000159f4c67eb10d |
| SHA256 | 024c7a3a76470846c3c0180eb496c46286238bdbdff33c110b7be8fde6336232 |
| SHA512 | 656f03710bc455698504c73fbd561794f83c1ea95265a89cf36e9a989cf0b04d64dbb4b7c2b56da17e88959d545a4735558e8e1a3edd5d632632f2f576b9d231 |
C:\Users\Admin\AppData\Local\Temp\n5GB6O33sknp.bat
| MD5 | 2c02fef1e9c3050debabda1b8547345a |
| SHA1 | 7e18a822aee92d36e412426ae1a257195d7bfee5 |
| SHA256 | 096c53334c99a51c16e5b8a7762407f9c55c02b2a7ed6791bdbf679a3a344ebc |
| SHA512 | 7f563fdfff7eb55cdebace910d976c09409acc4c7670357681346edec8f8e8f99482402fab36a71be34f9002094db9b2bea923478269220b403a39a268af2c67 |
C:\Users\Admin\AppData\Local\Temp\51IZHGMBDLxx.bat
| MD5 | 38dc8d51c3d2cff220730961823bb98d |
| SHA1 | 5b799cbf15b9f543ec69649434394ac0aa37208b |
| SHA256 | 5eecac9a3dab8e02dec461f8fa2111d6f88613225ffc15436a0f94ca8819b61b |
| SHA512 | ab4a46c85c8d433935582a54649c342d83396da3d4c37c65376ae88604da33296002177bd7e3531df66ce2215979b240bb7d84c34f852c47565fc783dea83950 |
C:\Users\Admin\AppData\Local\Temp\GcI1BpvbzmJU.bat
| MD5 | dc24d1e05cc70a2d1db4e547c6e4a34f |
| SHA1 | 830a808221f0e20bf2e3214313eff2e10377e544 |
| SHA256 | d0b3443bb4d7af4f2997457a21a113be2f0752654a0c8d2b1fcca8b3feda229f |
| SHA512 | 4448eca52bd2549477019243a2cfffa2e413aaffcc54a9a9716d406b715576ef09162adbc4371067ed31e81fd364ee179256ed1c44de2b4e8a19aa28b55f0c33 |
C:\Users\Admin\AppData\Local\Temp\aO6qbqOaxawj.bat
| MD5 | 9d4d060a7d0b42696931bbb73537051f |
| SHA1 | f10f6a1ca4374f0b4fc12687fd56bb56be7bd55f |
| SHA256 | adc2221ca71b4d40f7f49187d0dea6394202f32b7b2ef06e471e17881bb1d9f1 |
| SHA512 | ae435781f5660674a32270cbd42e18ee73ba84d8b9d05948fb39ec35ccaef74e3b4fa4afa12d0daff1cefdfb892932d21cffdd9c3a104d52786a4009a52613fc |